Many popular Windows programs have insufficient protection

The author of the SlopFinder software writes that many popular Windows programs don't even use basic security mechanisms. With DEP (Data Execution Prevention), for example, the processor uses a flag (NX bit) to prevent the execution of injected code from within a range of data. The ASLR (Address Space Layout Randomisation) feature places code at unpredictable addresses to prevent exploits from misusing library functions or code fragments.

However, Windows doesn't stipulate the mandatory use of these features; the decision to use them lies with the application's developers. The result: protection is not enabled in many applications. To activate it, software developers would only need to enable DEP and ASLR in the compiler settings; this functionality has been available in the compiler's default settings since Microsoft Visual Studio 2005. However, the testers found that many popular programs – such as 7zip 9.20, Dropbox 1.6.3, WinPCap 4.1x and Pidgin 2.10.6 – are deployed without any DEP or ASLR protection. While many products protect at least some of their files, they often fail to offer protection for third-party DLL files.

Process Explorer: the DEP and ASLR details are shown in the bottom left corner. It is true that these security features can be bypassed and that programs which include them don't offer absolute security. However, the features do make attacking a system and exploiting security holes significantly more difficult, and they generally require little or no extra development effort. If the source code of a program is available, users can recompile the program with different settings. Administrators can also use Microsoft's EMET (Enhanced Mitigation Experience Toolkit) component to protect programs. Missing DEP and ASLR features can also be detected via Microsoft's Process Explorer.

See also:

• Damage limitation - Mitigating exploits with Microsoft's EMET, a feature from The H.

(djwm)