Most Windows Applications Use Microsofts DEP

SDL Progress Report from Microsoft shows one-third of popular consumer apps using ASLR

Most popular consumer applications today use Microsofts Data Execution Prevention (DEP) attack mitigation feature in Windows, while about one-third use its Address Space Layout Randomization (ASLR) security function.
The data was released today as part of Microsofts progress report on its Security Development Lifecycle (SDL). The software giant surveyed the DEP and ASLR settings in 41 popular third-party applications to measure the adoption of these attack mitigation technologies. ASLR was not deployed in 70 percent of browser plug-ins: That means even if a browser were running ASLR, if a plug-in does not, then ASLR isnt fully functional.
Microsofts SDL, a process of building security and privacy into its software, has been mandatory in-house at the software giant since 2004. Microsoft in 2007 began publicly releasing SDL tools and documentation in order to promote secure coding. DEP and ASLR are two of the higher profile security functions Microsoft has added to Windows.
Jeff Jones, director of Trustworthy Computing at Microsoft, says the disparity between DEP and ASLR adoption among apps likely has to do with DEP being available longer (since XP Service Pack 2) as well as being simpler to understand. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data.
It has been around longer, and its pretty simple to enable, Jones says. ASLR didnt come on the scene until Windows Vista, where it first rolled out. ASLR is basically a security feature in Vista and Windows 7 that protects the system from an exploit attempting to call a system function. It places code in random areas of memory that makes it more difficult for an attacker to run malware on a machine.
While ASLR is fully enabled in 34 percent of these apps, its partially enabled in 46 percent of the commercial apps. Some 20 percent dont use ASLR at all.
Microsofts Jones says thats a respectable percentage of adoption. I was pleasantly surprised. Eighty percent has either fully or partially [deployed] it -- thats a good number, he says.
Gary McGraw, CTO at Cigital, also considers the new Microsoft data on DEP and ASLR deployment good news. That rate of adoption is pretty darn good ... because [the technology] is relatively new, says Gary McGraw, CTO at Cigital.
But deploying ASLR and DEP alone doesnt make for a secure app, he says. If you just count on only these two security functions, you wont get a secure app. You have to do everything else, too, [including] static analysis, pen testing, and the rest of the [steps] in the SDL.
When apps only partially enable ASLR, that means not all libraries are compiled with ASLR, which could allow an attacker to bypass DEP, notes Thomas Kristensen, CTO at Secunia.
And apps that only support either DEP or ASLR, or just partially support one, dont reap the same security benefits, security experts say.
DEP alone is less effective than ASLR as there are much easier ways to defeat DEP than ASLR. Combining DEP and ASLR results in the most effective exploit mitigation, says Chaouki Bekrar, CEO and head of research at VUPEN.
Some app developers avoid DEP because it can crash buggy apps, notes Secunias Kristensen. That obviously doesnt look good, and then it is natural to choose less security and more stability, he says.
Even so, DEP and ASLR arent impenetrable. Security researchers have found and demonstrated ways to bypass DEP. There are ways to bypass each individually, but combining the two makes the protection more efficient and significantly harder to exploit, Kristensen says.
The Microsoft SDL Progress Report can be downloaded
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Most Windows Applications Use Microsofts DEP