Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Development
    • IT Management

    ISVs Avoid Windows Security Measures

    Written by

    Andrew Garcia
    Published July 13, 2010
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      In June, security research firm Secunia released a report entitled “DEP/ASLR Implementation Progress In Popular Third-party Windows Applications,” examining adoption rates among third-party application developers of the exploit avoidance technologies built into Windows. Not surprisingly, adoption was fairly low given the stated ease of their implementation.

      The report (PDF) looked at 16 popular third-party Windows applications (including application frameworks such as Adobe Flash and Java, browsers such as Firefox, Opera and Google Chrome, and standalone programs such as Adobe Reader or Apple iTunes), examining their adoption of Microsoft’s advanced security measures over the course of 26 months (from May 2008 to June 2010). In the end, the report found developer adoption of both DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization)-in both Windows XP SP3 and Windows 7/Vista-was slowly increasing over time but was hardly pervasive.

      Secunia’s findings come as no surprise, as I’ve complained about the lack of developer adoption of Microsoft’s newer security strictures in the past, albeit focused more on user rights and UAC (User Account Control). For my most rancorous quote in that post, I wrote, “It’s bad code, written by lazy, hurried or unconcerned developers adhering to development standards 10 years in the rear view mirror.” However, in hindsight I regret using the word “lazy,” as I’ve found myself in the time since mightily impressed with the lengths some ISVs have gone to not only ensure their applications work with limited rights but that actually circumvent or subvert Microsoft’s controls altogether.

      Since Microsoft released Windows 7 RTM almost a year ago, I’ve been operating my primary system with limited user rights, supplemented with an AppLocker rule set that only allows me to run programs stored within the Windows or Program Files directories. This habit has proven most effective at providing insight into programs running from non-typical locations of the file system, places where the applications can be written and updated regardless of the user’s local rights under normal operating conditions.

      For instance, Google Chrome bypasses UAC entirely by installing itself within the AppData folder within the user’s profile-allowing Google to advertise the app for those without local admin rights. This workaround means Chrome needs to be installed separately for each user on a shared system, of course. Administrators who wish to add Chrome to their corporate build instead need to install Chrome using the Google Pack to extend the program to all local users by installing it in the Windows Program Files directory.

      Likewise, WebEx runs from a non-standard location, the C:ProgramData directory. A throwback to a simpler time, the ProgramData directory is a rare bastion of open write permissions in the base of the Windows 7 system drive, allowing non-admin users to write temp data-or programs-to disk. WebEx developers freely acknowledge they use that location because most of their users don’t have permission to write to the Program Files directory.

      My award for the trickiest UAC workaround, however, goes to Lenovo for their ThinkVantage System Update tool for Thinkpad laptops. When first installed, System Update creates an always-on service that auto-starts at system boot. When the System Update application is subsequently started by a limited rights user, the service dynamically generates a new user account on the local system with administrative rights (with random names like wostbqwyajHCZJEKNDQ), and the application’s tvsukernel.exe process runs as that user.

      Lenovo representatives inform me that this account’s “only purpose is to avoid multiple UAC prompts during installation and is cleaned up afterwards.” Although the account apparently has no password, I was not able to log in to the system interactively with it.

      ISVs commonly focus on their application’s features and functions, with system security often taking a backseat priority. Mostly, ISVs just want it to work, by hook or by crook. If and when security problems come to light due to their freewheeling approach-well, it can be fixed at that time.

      Andrew Garcia
      Andrew Garcia
      Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at [email protected].

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×