Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Popular Windows Apps Ignore Security Options

Posted by Soulskill on from the who-uses-apps-anyway dept.

eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

4 of 202 comments (clear)

  1. Re:Wait a minute by booyabazooka · · Score: 0, Troll

    Why doesn't Windows enforce it's security?

    I question your assertion that Windows is security.

  2. Re:Wait a minute by Nutria · · Score: 0, Troll

    Because they write the OS and do not dictate what you can run on your box?

    Or do you want your windows apps to only come from Windows Application Store?

    That's a crock of camel dung.

    The Linux kernel (and presumably Unix/BSD) just does ASLR whether you want it or not, and distro packagers enable the NX bit in some kernels.

    --
    "I don't know, therefore Aliens" Wafflebox1
  3. ...Did they just say...? by Zixaphir · · Score: 0, Troll

    What the hell is Winamp doing on this list? That was popular, what? 2000? 2001? Is that obsolete program really still relevant?

    --
    "Now I am become Death, the destroyer of worlds"
  4. Re:Authenticode for free software? by Anonymous Coward · · Score: 0, Troll

    Apple doesn't allow unsigned programs to run at all. So let them run in a sandbox. The benefit far outweighs the drawbacks. Popular open-source projects that would like a certificate can petition their users for donations, like WinCDEmu has done.