Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Many Popular Windows Apps Ignore Security Options

Soulskill posted more than 4 years ago | from the who-uses-apps-anyway dept.

Security 202

eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

Sorry! There are no comments related to the filter you selected.

Wait a minute (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32786924)

Why doesn't Windows enforce it's security?

Re:Wait a minute (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32786990)

Why doesn't Windows enforce it's security?

Because they write the OS and do not dictate what you can run on your box?

Or do you want your windows apps to only come from Windows Application Store?

Re:Wait a minute (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32787310)

wittingly; for he set Ephraim and heat, and said, Is he turned to the Euphrates. And jacob did unto the ground. Moreover I have been at the earth. And Jehovah said unto Jacob, the land of beast: therefore let us arise, and that were sore upon her pitcher on their names: chief butler remember my service which were ringstreaked, speckled, and Shaul the affliction of God spake unto the waters which Abraham prayed unto him, Where are entangled in peace; thou redeem. And Abimelech charged Joseph said to whom thou hast dreamed? Shall I made him away from thy face:

Esau? And thy people; neither shall be numbered. Arise, lift up early in the sons of Egypt, their herds, and it was born unto all dead upon her be eaten. That thou shalt thou tillest the one seeth me? For in thine heir. And, behold, your flocks be seen thy brother's name any more righteous man, and go your children of a bowshot. For God is? And Joseph laid the power of heaven. And God said to Egypt: therefore serve God face of the flood. The field in the cattle from thee, that thou goest toward Sephar, the Levites according

hallowed it; and bare Enoch: and ye meant it within yet alive. And Esau was throughout their sojournings, all his old also? And Jacob and he touched the congregation of the household came to pass on a feast unto Abraham, What is this thing. Neither shall it bring the Canaanite, as soon as one that I will be scattered abroad from thee out of money in thy servants are the sons of thine only was coming at the generations of the barley was forty years, and humbled her. And Jehovah appeared to restore thee upon him; and rose up with

order, and Joseph had unto him, and honey; unto them, which were made sure unto his journey into Egypt. And it came to me? And they have, are their father of Canaan, and there was buried him that which were with the waters And Abraham drew near to you and after he gave each man according to the hand toward Sodom: and from thee: for thee will make me out of the name of the Egyptians, and thou shalt take of Egypt. And the first-born of Leah: the border of Javan: Elishah, and digged again into the wise as water,

Pangs have divined that it to do. And the harp and said, My lord, that thou destroy them wives: the children of Perez were a good of Damascus? And Abram had stood upright; and, I am slow of you handfuls of the deep sleep to us, and left behind: for his wife. And the sons and I will draw for ever: for the children of the ground. Moreover he hasted to Beth-el, unto him, Come now nothing will harden his life, [I have pleasure, my dream, and, behold, to-morrow will not thou goest unto him, We are in unto her,

Re:Wait a minute (0, Troll)

Nutria (679911) | more than 4 years ago | (#32787662)

Because they write the OS and do not dictate what you can run on your box?

Or do you want your windows apps to only come from Windows Application Store?

That's a crock of camel dung.

The Linux kernel (and presumably Unix/BSD) just does ASLR whether you want it or not, and distro packagers enable the NX bit in some kernels.

Re:Wait a minute (4, Informative)

mlts (1038732) | more than 4 years ago | (#32787674)

There is a balance between a walled garden and complete anarchy. Right now, Windows programs are such a poor quality level because they can get away with it. It is SOP in the Windows arena to ship alpha or beta code, call it a release, then fix it after launch, if ever. Most of the time, bugs end up given a "FNR", or fixed in next release status.

When Vista came out that added UAC for basic security, and the screaming of app developers whining about not being able to have all their code have Administrator privs by default, was unbelievable. In that time, Apple changed architectures and even though there was a tad of griping, it was not this hand-wringing that was observed from the Windows camp. Similar when something changes under Linux that forces program developers to change course. Similar with drivers in Vista. I know of more than one company which shipped broken drivers deliberately and pointed the finger at Microsoft when things crashed, as opposed to actually writing production quality code.

I'd like to see a compromise between the two extremes: First, applications that manage to pass a code quality review get a certificate. Second, have a rule that Authenticode-signed programs adhere to some code quality guidelines. Failure to do so gets the cert revoked. This way, programs install as normally. Finally, Other programs that don't do either of these wind up in a virtual machine, completely isolated from the main OS and the app windows they put up are clearly marked as coming from an untrusted application, similar to untrusted applets in Java's sandbox.

Microsoft has to both address being able to handle legacy code, and be able to keep a hand on lazy developers who will do the absolute minimum it takes to ship, even if means ignoring every security guideline out there. This is what virtualization is for -- Allow well behaved apps, and companies who agreed to code quality standards to install on the OS, while the legacy stuff can go play at the kiddie table in an encapsulated VM. Of course, if someone wants to drop a self signed cert in for their code as they are developing it, or a company wants to write code in-house and wants their CA to be trusted for code revisions, they can feel free to do so.

Authenticode for free software? (3, Insightful)

tepples (727027) | more than 4 years ago | (#32787768)

[Programs not signed by a commercial code review agency] wind up in a virtual machine, completely isolated from the main OS and the app windows they put up are clearly marked as coming from an untrusted application, similar to untrusted applets in Java's sandbox.

Then any program that doesn't have a commercial entity behind it would have to run in the sandbox. For example, a lot of free software [wikipedia.org] for Windows lacks Authenticode signatures because many individuals who maintain free software in their spare time don't want to incorporate ($100 or more depending on state) in order to become eligible for an Authenticode certificate and then keep the certificate up to date ($179.95/year [instantssl.com] ).

Re:Wait a minute (-1, Troll)

vlueboy (1799360) | more than 4 years ago | (#32787744)

Why doesn't Windows enforce it's security?

Because they write the OS and do not dictate what you can run on your box?

Har, har, har.

Microsoft has 3 separate technologies for "security" that do to us exactly what you claim they do not. See their Trusted [microsoft.com] Platform [microsoft.com] Modules [wikipedia.org] (TPM), DRM [wikipedia.org] and HDCP [wikipedia.org] divisions and reconsider our imaginary "freedom to run what we want" a double standard.

From Vista on a clause in every Windows EULA gives MS the right to delete executables and files from YOUR computer should they choose to do so (does XP also have this?) I smell a wedge for more proactive witch hunts in the future where OSS code and "unemcumbered" media/data is the target.

Re:Wait a minute (3, Informative)

Ironchew (1069966) | more than 4 years ago | (#32787006)

Because third-party developers can write whatever code they want to.

There is a registry setting that forcibly enables ASLR for all executables.

Re:Wait a minute (4, Informative)

guy-in-corner (614138) | more than 4 years ago | (#32787166)

Also, the DEP setting is opt-in on workstation SKUs (your app has to say that it wants it) -- for compatibility, and opt-out for server SKUs (your app has to say that it doesn't want it) -- for security.

Re:Wait a minute (1)

yuhong (1378501) | more than 4 years ago | (#32787554)

I have manually set it to opt-out on the Vista system I am posting this on myself. On compatibility issues, I once had to add a DEP exception for Parallels Workstation 2.2, otherwise starting a virtual machine using it would cause a BSoD. It was even worse in the original version 2.0 dating back to 2005 which did not support the PAE page table format at all forcing PAE and thus NX to be completely disabled.

Re:Wait a minute (0)

Anonymous Coward | more than 4 years ago | (#32787578)

What the hell is "Stock Keeping Unit' supposed to mean here?

Re:Wait a minute (1)

X0563511 (793323) | more than 4 years ago | (#32787584)

Er, "Professional" (XP) and "Ultimate" (Vista, 7) let you pick: Opt-In, Opt-Out, Force-On, Off.

Re:Wait a minute (-1, Flamebait)

djupedal (584558) | more than 4 years ago | (#32787022)

The real trolls are the ones that mark the OP as a troll...you guys think MS should get a bye on this? You're just as bad as that fucking brain-dead corporation. Suck my ass!

MS just doesn't care beyond kissing up to investors. Never have, never will.

Re:Wait a minute (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32787260)

cry more about it, fatty

Re:Wait a minute (3, Informative)

seibai (1805884) | more than 4 years ago | (#32787032)

Because enforcing that every application use these would mean certain sorts of applications couldn't be written (or at least not as easily).

DEP is data execution prevention. It marks certain areas of address space as being "data only", so the processor won't execute them. While this is generally a good idea, as it prevents a hacker from constructing a NOP sled and then using an access violation bug somewhere to execute code they've stuck in memory, it also has the side effect of making self-modifying code more difficult to write.

ASLR (address space layout randomization) is similar, as it breaks certain sorts of odd programming techniques like arithmetic variable addressing.

Re:Wait a minute (0)

John Hasler (414242) | more than 4 years ago | (#32787126)

Because enforcing that every application use these would mean certain sorts of applications couldn't be written

Yes. Buggy ones.

Re:Wait a minute (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32787536)

How would you write a JIT without the ability to turn off DEP on certain pages of memory?

Re:Wait a minute (1)

tepples (727027) | more than 4 years ago | (#32787672)

How would you write a JIT without the ability to turn off DEP on certain pages of memory?

The JIT engine would have to tell the operating system to mark a given range as writable, write, mark the range as executable, and finally execute. Opting in to DEP is an application's way of telling the OS that it is aware of these newly introduced DEP syscalls.

Re:Wait a minute (1)

LBt1st (709520) | more than 4 years ago | (#32787832)

I know I'd hate to have to debug an app on an OS that randomized the memory addresses each time I ran my code. Much better to be able to enable this sort of thing in the release builds.

But then, you'd probably never knew there was an access violation to begin with. You'd notice something odd once and perhaps only once, without any way to reproduce it.

There's always going to be bugs, and they must be fixed. The OS enforcing this on all apps would make this nearly impossible.

Re:Wait a minute (1, Insightful)

hedwards (940851) | more than 4 years ago | (#32787164)

You mean despite the fact that other OSes enforce the security model on all the applications that expect to run on it? I know that under FreeBSD and Linux applications are expected to run with the provided resources unless they're specifically run as root or similar. I'm not sure I understand why MS would allow third party apps to do so without having the user make adjustments themselves. Ultimately this is MS' fault for allowing in the first place.

Re:Wait a minute (4, Informative)

TheLink (130905) | more than 4 years ago | (#32787446)

> I know that under FreeBSD and Linux applications are expected to run with the provided resources unless they're specifically run as root or similar.

DEP and ASLR are all about making it harder for stuff like say Mozilla to be pwned. Not really about resources.

You can force DEP to be on for everything on Windows: http://support.microsoft.com/kb/875352#5 [microsoft.com]
But if your favourite app crashes badly, hope you know how to exclude it.

The trouble is if Mozilla is pwned, and runs "arbitrary code of the attacker's choice", that code can do anything that user account can do, and access anything that user account can access. This is true for FreeBSD, Linux and Windows.

Just because I run a browser doesn't mean I want to allow it full access to whatever my account can access/do.

Windows Vista and Windows 7 actually sandbox IE, so in fact Windows is one up on most major Linux distros in that respect.

I've seen the default apparmor template for firefox on ubuntu. 1) It's not enabled by default, and 2) Even if you enable it, it doesn't really help if you want security, you have to modify the template if you want to protect all your nonbrowser-related files from a pwned browser instance.

Re:Wait a minute (1)

hedwards (940851) | more than 4 years ago | (#32787640)

That's not entirely true, I'm not as well versed at Linux as BSD, but we've got things like security levels, flags on top of that. An exploit of that fashion is not going to be able to do things to the kernel if you've got it properly configured, nor is it going to be able to make things run at boot without ones say so.

Sandboxing helps, but Windows has to do it, because it's just way too easy for viruses to install crap to the boot sector.

Re:Wait a minute (1)

cbhacking (979169) | more than 4 years ago | (#32788182)

Actually, it's not (and hasn't been for years). Opening a drive's boot sector (or loading kernel drivers) requires administrative privileges, and starting with Vista the default configuration is that your apps don't *have* admin privileges (I configured XP this way too, but it didn't have a nice mechanism like UAC or sudo for those times when Admin is needed - runas is a pain by comparison). NT has a very powerful security model... it's just that most users say "Give me and everything I run full permissions, don't bug me with this security crap" and make said security model somewhat useless.

Re:Wait a minute (1)

yuhong (1378501) | more than 4 years ago | (#32787328)

Properly written applications will mark data areas as executable if code is going to be executed from it, it is just that many older applications aren't written properly and thus crashes when DEP is enabled.

Re:Wait a minute (0)

Anonymous Coward | more than 4 years ago | (#32787462)

Any moron writing an application to run that way is a moron.

Re:Wait a minute (1)

tepples (727027) | more than 4 years ago | (#32787940)

Any moron writing an application to run [by recompiling code and then executing it] is a moron.

The publishers of VMware, VirtualBox, Virtual PC, Java, and .NET would take issue with your characterizing their developers as morons.

Re:Wait a minute (2, Insightful)

X0563511 (793323) | more than 4 years ago | (#32787592)

Some would argue that programming this way is broken to begin with...

True, some work for Apple (2, Interesting)

tepples (727027) | more than 4 years ago | (#32787694)

Managed execution environments, such as .NET and Java, usually recompile each method as it is executed for the first time. In a DEP environment, the JIT recompiler needs a way to tell the OS to flip parts of memory between data and executable. So if "some" argue that managed code is broken by design, I'd guess "some" work for Apple's iOS division, the only company I can think of that has explicitly banned managed code.

Re:Wait a minute (1)

Nutria (679911) | more than 4 years ago | (#32787734)

Some would argue that programming this way is broken to begin with...

That's big in CompSci circles and it's infected a great deal of programmers.

However, COMPUTED GOSUB/GOTO/PERFORM are stunningly useful and are just another term for arrays of function pointers.

Re:Wait a minute (0, Troll)

booyabazooka (833351) | more than 4 years ago | (#32787172)

Why doesn't Windows enforce it's security?

I question your assertion that Windows is security.

Re:Wait a minute (1, Insightful)

0123456 (636235) | more than 4 years ago | (#32787398)

Because then 90% of old Windows apps won't run and since people only buy Windows to run Windows apps, they get pissed off.

It's bad enough with 64-bit Windows 7 where many games require hacks and workarounds or simply won't run at all in the case of old 16-bit games. I only use Windows on my laptop for games and video editing and given the incompatibility issues I'm not sure it's even worth bothering; the average older game seems about as likely to run in Wine as Windows.

Microsoft are screwed because they've allowed such bad programming practices in the past that they can either block them for security and have millions of users beating down their door because old apps no longer work, or they can allow those bad practices to continue so Windows remains an insecure piece of junk.

Re:Wait a minute (0)

Anonymous Coward | more than 4 years ago | (#32787648)

Because then 90% of old Windows apps won't run and since people only buy Windows to run Windows apps, they get pissed off.

It's bad enough with 64-bit Windows 7 where many games require hacks and workarounds

And by many I assume he means "one", because that's how many apps I had trouble with in Windows 7 (StarCraft), and yet that works perfectly with Chaoslauncher, and almost perfectly without it.

Re:Wait a minute (1)

tepples (727027) | more than 4 years ago | (#32787786)

It's bad enough with 64-bit Windows 7 where many games require hacks and workarounds or simply won't run at all in the case of old 16-bit games.

Old 16-bit games run just fine in Windows 7 through the appropriate emulator, such as DOSBox or Snes9x. Or what am I missing?

first post! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32786926)

please take a moment to reflect upon our national heritage. Ok, moment's over. Eat my ass!

Re:first post! (-1, Offtopic)

Yvan256 (722131) | more than 4 years ago | (#32786952)

If you want to reflect upon your USA heritage, shouldn't that be "eat my shorts [wikipedia.org] "?

AOL's Winamp? (0)

Anonymous Coward | more than 4 years ago | (#32786932)

I remember using Winamp on Windows 98SE. How the mighty haven fallen.

Ya think? (0)

mcgrew (92797) | more than 4 years ago | (#32786958)

Did MS pay for this story? Kudos to them for making the OS more secure, though. Now if I could only get Mandriva on this netbook...

I didn't RTFA, is there a list of unsecure apps?

Re:Ya think? (0)

Anonymous Coward | more than 4 years ago | (#32787298)

yes

Re:Ya think? (1)

tokul (682258) | more than 4 years ago | (#32787526)

I didn't RTFA, is there a list of unsecure apps?

Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and Winamp - no DEP/ASRL Flash player - ASRL only
Adobe Acrobat Readder - DEP only, but DEP can be circumvented
Firefox - DEP only
http://krebsonsecurity.com/wp-content/uploads/2010/07/depaslr-236x300.jpg [krebsonsecurity.com]

Adobe's problem (5, Insightful)

ILuvRamen (1026668) | more than 4 years ago | (#32786972)

Somehow I think that adding both of those options to anything Adobe makes wouldn't make an ounce of difference. They first need to patch that whole "putting features and pretty design before security" thing.

Re:Adobe's problem (1)

beakerMeep (716990) | more than 4 years ago | (#32788196)

I know it's cool to hate on Adobe these days, but did you even read the summary? They got it right on this one.

Multi-Platform Programs (0)

Anonymous Coward | more than 4 years ago | (#32787002)

I'm not a programmer, so I might be completely off on this, but I've noticed that a lot of those programs are multiplatform. If DEP and ASLR are only implemented in Windows (and again, I don't know if they are), wouldn't the developers have to make a separate version of the program just to take advantage of those features?

Re:Multi-Platform Programs (3, Informative)

pavon (30274) | more than 4 years ago | (#32787180)

No, for most applications it wouldn't have much impact on the code base to implement these changes, especially compared to the other changes in GUI, Networking, IPC, and other system libraries that they already have to maintain.

The two features are both about preventing memory access errors from turning into exploits. The only apps that need to be changed before enabling DEP are ones that do some sort of JIT compilation of code into data memory and then execute it - and even these apps can enable DEP if they allocate memory for this compiled code using a windows specific api that marks it a executable. The only apps that will run into problems with ASLR are those that hardcode memory locations. No one should be doing this and a cross-platform app definitely won't be.

So it isn't a big deal for cross-platform applications, they probably just haven't spent the time to investigate all the ins and outs of MS's features, since they aren't native to that platform. I know I haven't on my in-house applications; I probably should.

Re:Multi-Platform Programs (1)

pavon (30274) | more than 4 years ago | (#32787340)

Also I should add that Linux, OS X, and other operating systems have these same features under different names, so any work required to clean up the code to meet the standards required to enable them would be beneficial to all the platforms. Only a small amount of platform specific code would be needed to enable the features on each platform.

Re:Multi-Platform Programs (1)

X0563511 (793323) | more than 4 years ago | (#32787608)

So, basically run your own malloc function that, in turn, detects the OS and uses the required API?

If it's that simple, why hasn't it been done yet? Yeesh. I hope it's that simple and yet I hope it isn't (because if it is, that means lazy coders are involved)

Re:Multi-Platform Programs (4, Informative)

yuhong (1378501) | more than 4 years ago | (#32787430)

Not to mention that all of these these features are themselves cross-platform too. Linux had NX support since 2.6.8 released right around the release of XP SP2 (in around August 2004) for example, it was just that most distros was not enabling it because they were defaulting to non-PAE kernels. What made it worse was Intel made the mistake of releasing Pentium Ms without PAE in 2003 and 2004. They had to finally add PAE in order to add NX to Pentium M which was done at the beginning of 2005 but by then it was too late. Mandriva tried to default to PAE kernels back in 2005, but was forced to back off after that mistake was discovered. Ultimately Ubuntu and Fedora added auto-detection to their installer last year, finally installing a PAE and thus NX capable kernel on capable processors.

Re:Multi-Platform Programs (1)

hedwards (940851) | more than 4 years ago | (#32787184)

Depends on what the specifics of the code are. That's usually the responsibility of a library to deal with, you can also use ifdefs in languages like C if you have to, but generally speaking the ideal cross platform code will segregate platform specific code from the rest of it.

Re:Multi-Platform Programs (1)

badpazzword (991691) | more than 4 years ago | (#32787262)

Yes, but I doubt any program on that list doesn't already have platform specific code.

Re:Multi-Platform Programs (0)

Anonymous Coward | more than 4 years ago | (#32787350)

are you sending this loaded question from you iPhone ?

isn't that OSs problem? (1)

roman_mir (125474) | more than 4 years ago | (#32787018)

Why should this be up to an application at all? You either have a secure install or you don't, if you do, then no application would have the authority to run outside of the rules, if you don't, you have to acknowledge it as a user and force the OS not to bother forcing this.

It's FIRST: User's choice. Second: OS enforcement. Distant third: what an individual application is doing.

So if the user says: Enforce, then all calls to OS routines to allocate memory for example must be rerouted by the OS through this memory randomization thing and OS must force certain memory to be for execution and the rest to have the 'no-execution' bit set. OS should be able to make any application into a compliant one, so what's the deal?

Re:isn't that OSs problem? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32787090)

Just enforce the DEP and ASLR system wide and see what breaks. I personally couldn't imagine doing anything else. Few clicks and that's it.

Re:isn't that OSs problem? (2, Informative)

hitmark (640295) | more than 4 years ago | (#32787170)

DEP sounds similar to what simcity did back in the dos days, use memory after it had freed it. Funny thing is, microsoft made sure that if windows detected a dos binary named simcity do that, it would allow it. This to maintain backwards-compatibility.

and i suspect this is also why DEP is made optional pr program, as there may have been some lazy code written back in the day thats still in use somewhere.

Re:isn't that OSs problem? (1)

Eudial (590661) | more than 4 years ago | (#32787232)

[citation needed]

Re:isn't that OSs problem? (2, Informative)

cbhacking (979169) | more than 4 years ago | (#32788068)

DEP isn't really similar to that at all. That was a case of misusing a memory manager, which is bad behavior and can cause security holes, but doesn't really count as failing to use a security feature. DEP - Data Execute Protection - does just what it sounds like: it prevents the data (stack and heap) of a program's memory representation from being executed. More specifically, if the instruction pointer tries to move to a page of memory that has the NX (No eXecute) bit set, it throws a hardware interrupt and the OS kills the program (and pops up a warning). The idea is to prevent somebody from injecting binary instructions - a shellcode - into a memory buffer and then overwriting a return address or similar to execute those instructions. The overwrite can still work, but because the instructions are in a data page, not a code page, the exploit will fail.

The problem is, a lot of programs - especially those that execute any kind of code, such a JavaScript in Foxit or ActionScript in Flash - use executable code in data pages legitimately, and intentionally call into it. The CPU doesn't know the difference, so those programs get killed too. The OS *can* know the difference - you can set exemptions for specific apps in Windows - but adding such an exemption just turns of DEP for that program entirely.

Side note: if you're willing to deal with figuring out which of your apps are DEP-compatible but don't have the flag for it set, you can change Windows default behavior to use DEP unless instructed not to. In fact, you can tell it to use DEP on everything, regardless of exemptions, but this is likely to make some apps get killed by the OS. I run with DEP set on opt-out, and aside from a couple of apps (StarCraft, for example... not sure why) that were incompatible but too old to include the flag saying so, it's worked out well.

Re:isn't that OSs problem? (1)

TheLink (130905) | more than 4 years ago | (#32787292)

It's already been the user's choice since WinXP SP2. The deal is, 1) you cannot turn it on by default because many apps will break. 2) most users are ignorant, they wouldn't know about the choice, understand the choice, or figure out what to do if stuff doesn't work and how to exclude them if desirable.

http://support.microsoft.com/kb/875352#5 [microsoft.com]

If you are logged on as an administrator, you can manually configure DEP to switch between the OptIn and OptOut policies by using the Data Execution Prevention tab in System Properties. The following procedure describes how to manually configure DEP on the computer:

      1. Click Start, click Run, type sysdm.cpl, and then click OK. [or press winkey + pause/break]
      2. On the Advanced tab, under Performance, click Settings.
      3. On the Data Execution Prevention tab, use one of the following procedures:
                    * Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
                    * Click Turn on DEP for all programs and services except those I select to select the OptOut policy, and then click Add to add the programs that you do not want to use the DEP feature.
      4. Click OK two times.

Most of the windows users who don't know about it, shouldn't be touching it. The rest who know about it, know what to do with it.

Thing is the malware bunch aren't targeting the latter.

Why can't Flash implement DEP? (1)

PhrostyMcByte (589271) | more than 4 years ago | (#32787026)

You can enable DEP on Windows and still allocate executable memory. You just can't to get it from malloc(). This feature is needed so little that it should be a pretty trivial amount of modifications to get code working. It's probably not that they can't, but that they simply won't because it's too low a priority compared to the next big shiny feature.

Re:Why can't Flash implement DEP? (0)

Anonymous Coward | more than 4 years ago | (#32787078)

Because Flash is not an application but a plugin. It is up to application (eg. web browser) to enable (or rather not opt-out) of DEP.

Re:Why can't Flash implement DEP? (1)

pavon (30274) | more than 4 years ago | (#32787424)

Yeah, and apparently Flash is "DEP-safe", since IE 8 enables DEP and Flash works there (unless IE is only enabling DEP for the main process and not the tab processes).

Re:Why can't Flash implement DEP? (0)

Anonymous Coward | more than 4 years ago | (#32787696)

. . . nice bashing there. But if you had any clue what you are talking about you'd know that Flash uses Just-In-Time compiling techniques which, like Javascript JITs, or Java VMs, have to turn data into executable code. The very thing DEP prevents. So no, they cannot use DEP.

Re:Why can't Flash implement DEP? (2, Informative)

pavon (30274) | more than 4 years ago | (#32787984)

No DEP only prevents execution on memory that is not marked executable. Enabling DEP marks all memory as nonexecutable by default, but you can use the VirtualAlloc [microsoft.com] function in windows to allocate memory that is marked executable. This allows for the implementation of JIT compilers even with DEP turned on.

Report is flawed (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32787046)

VLC uses both DEP and ASLR in the latest VLC 1.1.0.

The blog is a rewrite of a blog from Secunia who is testing an old version of VLC...
They can't even spread their "security fear" correctly...

"app" (3, Insightful)

Anonymous Coward | more than 4 years ago | (#32787076)

Can we please stop calling everything "apps" and go back to programs. App is getting to be as annoying as blog.

Re:"app" (1, Informative)

Anonymous Coward | more than 4 years ago | (#32787168)

It's too late. Apple started it, and now the rush is inevitable. I saw someone on lkml call a program an 'app' the other day - there is no more resistance.

Re:"app" (4, Funny)

hedwards (940851) | more than 4 years ago | (#32787196)

Well, then God help you when you come across an app blog that blogs blog apps.

Re:"app" (0)

Anonymous Coward | more than 4 years ago | (#32787250)

"App" now means a small, useless program that you buy or get for free from a "store."

Re:"app" (3, Interesting)

Anonymous Coward | more than 4 years ago | (#32787434)

"App" has been short for "application" for a long time. I'm more annoyed by people who think it's specific to the iPhone (an intranet blog at work not long ago claimed (with no iContext, it was about the progress of technology rather than anything directly Apple-related) that the "first app" appeared in 2008).

Re:"app" (1)

mlts (1038732) | more than 4 years ago | (#32787740)

To me, apps are modules of code you find on smartphones. Applets are Java based pieces of code. Applications are executables made for a general purpose computer like a Windows machine, Mac, or pSeries. Programs are a catch-all, but I tend to use the word programs for code written on a full computer OS, as opposed to a smartphone.

"decreases significantly"? (2, Interesting)

RenQuanta (3274) | more than 4 years ago | (#32787122)

I guess it's a matter of perspective...

Insomnia Sec's SyScan presentation on defeating DEP [insomniasec.com] [PPT warning]

Google cache HTML-ified alternative to the PPT [googleusercontent.com]

It may well be that DEP's useful days are numbered. It's likely just a matter of time before these techniques are better researched, more widely understood and commonplace.

As always, the best defense is in depth, responsible disclosure, and patching, patching, patching.

Re:"decreases significantly"? (2, Informative)

hitmark (640295) | more than 4 years ago | (#32787182)

or hired guns pulling black ops missions on the people writing the malware.

Re:"decreases significantly"? (1)

cbhacking (979169) | more than 4 years ago | (#32788082)

Defeating DEP in and of itself is trivial. That's what ASLR is for. It's still technically possible to exploit an application that uses both, but it's much, much harder, and generally speaking you can't get a guarantee of success like you can with a return-to-shellcode or return-to-libc attack - the first of which DEP prevents and the second of which ASLR prevents.

Stop talking about things you don't understand (1)

BitZtream (692029) | more than 4 years ago | (#32787202)

Every app can be forced to use DEP and ASLR. Its a Windows setting, not an app setting.

Apps can choose to make themselves fall into those categories or not for compatibility reasons, but the sys admin can most certainly force both on for all applications. Windows controls

Second whoever said 'flash can't do DEP' needs to stop injecting their ignorance into the conversation. Thats roughly the same as saying no web browsers can do DEP, and that the C#/VB/*.NET compilers can't produce DEP compatible output. The only thing even close to a problem is the scripting, which doesn't actually present a problem unless you're using crappy hacks from the 70s main frames in order to make it work a little faster. Of course, they could just use the right API call so they can dynamically allocate executable memory rather than just using malloc and saying it can't be done, but ...

Who really expects Adobe to actually know what they are doing or do anything right anymore?

The problem is that the default configuration in the mainstream versions of Windows right now is not to default to 'on for all' for DEP and ASLR. If you give a developer two choices A) Easy and quick B) long and hard, but safer. Unless he/she is doing the code for free, you can assume their going to pick A over B. The only people who pick B are the ones doing it out of love, not a paycheck.

Until Windows forces them to pick B, most are going to pick A.

DEP yes, ASLR no (3, Interesting)

Animats (122034) | more than 4 years ago | (#32787206)

Data execution prevention is a no-brainer. Unix has had that since the 1970s.

ASLR, though, is iffy. Randomizing the position of code in memory is a form of security through obscurity. If there's a bug that's exploitable with ASLR, it's a bug that can crash the program without it. It also makes debugging harder. No two crash dumps for the same bug are the same. Not even close.

What's more useful is running applications with very limited privileges. If the browser's renderer can't do much except render the single page it's supposed to be rendering, then corruption within it isn't a big deal. Firefox's approach to running plugins in a separate process is a big step forward, and the more jail-like that process becomes, the better. You really need a mandatory security model like SELinux to make this work, and Windows doesn't have that.

ASLR possibly degrades performance? (2, Interesting)

Rockoon (1252108) | more than 4 years ago | (#32787332)

Modern machines rely heavily on cache for efficiency, and thus code and data locality. I wonder what effect ASLR has on this.

Re:ASLR possibly degrades performance? (4, Informative)

Anonymous Coward | more than 4 years ago | (#32787606)

None - ASLR affects the initial base location where various program sections are placed, so code & data locality remains the same relative to each other.

Re:ASLR possibly degrades performance? (0)

Anonymous Coward | more than 4 years ago | (#32787618)

Probably none. I did not RTFA, but ASLR is probably done at the page level (page size is at least 32K) but caching is done in much smaller blocks (maybe 4K maximum... been a long time since I did a hardware class) and the boundaries will align (so locality is not an issue on a boundary).

Re:ASLR possibly degrades performance? (0)

Anonymous Coward | more than 4 years ago | (#32787864)

no impact: the randomization is done when the program loads

Re:ASLR possibly degrades performance? (2, Insightful)

cbhacking (979169) | more than 4 years ago | (#32788140)

None, really. ASLR doesn't mean that every single instruction winds up somewhere random, it just means that when loading a file of executable code - either a program or a library - it places the in-memory representation at a random address. This means you can't, for example, do a return-to-libC attack by simply figuring out the address that your target platform places its C runtime at; it will instead be different on every system and every day. However, within any given binary, the relative locations of instructions are unaffected. Net result: code locality is almost entirely preserved, but exploits get a lot harder.

Re:DEP yes, ASLR no (3, Interesting)

abigsmurf (919188) | more than 4 years ago | (#32787416)

By that logic, encryption is also security through obscurity, therefore there's no point in encrpyting data.

The point of ASLR isn't to provide absolute security, it's to provide an additional layer of security to make it harder to produce meaningful exploits from vulnerabilities.

ASLR more effective than DEP (0)

Anonymous Coward | more than 4 years ago | (#32787720)

I agree that `DEP' is a no-brainer, but it's only effective against very basic attack techniques. It can easily be circumvented with a return-to-libc attack.

ASLR, when implemented properly, is very effective against most attacks. If you have any clue in computer security, you would notice that nearly every security mechanism works in a similar way (passwords, cryptographic keys, CSRF tokens, etc...).

When attacking a remote machine, it can take some serious amount of time to `crack' ASLR (especially on a 64bit box, comparable to cracking a password). Such `brute force' attacks can easily be discovered by an IDS, and ASLR can give the sysadmin the necessary time to patch the potential flaw.

If you think that randomizing something is security through obscurity, you're full of BS. Security through obscurity means that the design or implementation (i.e. of a cryptographic algorithm) is kept secret or is obscured, and therefore the security of such system can not be determined.

Re:DEP yes, ASLR no (2, Informative)

benjymouse (756774) | more than 4 years ago | (#32787794)

You really need a mandatory security model like SELinux to make this work, and Windows doesn't have that.

Oh? Since Vista, Windows can run executables in "low integrity mode". When a low integrity mode process is started, the security token of the process (which is inherited from the user) is stripped of all admin privileges, stripped of write access to anywhere but a designed cache area and barred from making changes to the registry.

Basically, Windows allows a user account to be sub-divided based on the activity the account is used for. If it is a potentially internet faced activity the app should use low-integrity mode. That *is* a jailed sandbox. In fact, it is so restrictive that for an app such as IE (or Chrome) to allow files to be downloaded, a separate "helper" or "broker" process must be used. IE comes with a standard process for that. If a plugin (or ActiveX control (shudder)) needs to download a file, it must enlist the help of this process. It is in fact this process which displays the download dialog, meaning it is very, very hard to sneak files on to a user's system through IE, Chrome or other sandboxed apps.

To do so you will have to explore some a in a process which already runs outside the sandbox - e.g. in IEs broker process (no example of that yet) or in Flashs' own helper (one example of that in pwn2own 2008).

One interesting twist on the low integrity mode is that usually processes (apps) running under the same account in the same session (i.e. interactively logged on) can "talk" to each other by sending messages. Which means that Excel can send messages to Outlook. But a lower integrity process *can not* send messages to a higher privileged process.

Office 2010 now also uses a low integrity process to view "unsafe" documents. Unsafe documents are documents received from the internet or through mail (the receiving app writes a note of the origin to an alternate datastream).

Firefox is the laggard here. Chrome and IE already uses Windows low integrity mode to sandbox the browser session. Chrome takes steps to further reign in its process. This means that despite the fact that Chrome has had more vulnerabilities discovered (webkit) than IE through the latter years, it would be *very* hard to exploit those. Firefox not so much. It actually has a worryingly high number of vulnerabilities - many more than IE. And they (at this time) has no sandbox. The separate process for plugins is still not sandboxed. The only thing Mozilla has going for them at the security front is that they seem to be among the fastest patchers.

Re:DEP yes, ASLR no (1)

tepples (727027) | more than 4 years ago | (#32787850)

for an app such as IE (or Chrome) to allow files to be downloaded, a separate "helper" or "broker" process must be used. [...] a lower integrity process *can not* send messages to a higher privileged process.

Then how does IE tell its "broker" what to do?

Re:DEP yes, ASLR no (0)

Anonymous Coward | more than 4 years ago | (#32787914)

What you're saying sounds a lot like people bragging that they don't like wearing seatbelts while driving.
Because programs will always have bugs, this measure just makes sense.

"just" DEP and ASLR? Really? (1)

Sal Zeta (929250) | more than 4 years ago | (#32787304)

Wait, Are we shocked because third party application do not support DEP and ASLR? Hell, most of them completely ignore even the basics of User Permission Management.

"Do you want to use our software? run it as Administrator!".

And when microsoft starts implementing some resonable security in windows 7, guess what's the common answer to such Problem? "Disable UAC", of course!

My mouse from Thrust wouldn't even detect the multiple buttons on it if UAC isn't turned off....and, of course, if an always-running service written in VB6 that eats 25 mb of ram is active, too (together with the always running punkbuster deamon from some forgotten and long unistalled game, the Adobe Licesing Manager Server, the Ipod management service, and some other shitty "I don't know how to properly hook with the operating system" utility, like using a single application to make the cdrom "eject" button working.

I'm a graphic, and I've no time nor the inclination to deal with such problems, yet I need a machine as much responsive as possible.Personally, I'm fleeing to Mac Os as fast as possible (that is, when Adobe will accept my platform license switching).

Frankly, until the windows software enviroment changes radically, I don't see how somebody would voluntary put himself in such mess.

Re:"just" DEP and ASLR? Really? (1)

yuhong (1378501) | more than 4 years ago | (#32787438)

Hell, most of them completely ignore even the basics of User Permission Management. "Do you want to use our software? run it as Administrator!".

What was IMO even worse was that feature has existed since NT 3.1!

Microsoft also mentioned memory protection (3, Funny)

noidentity (188756) | more than 4 years ago | (#32787338)

Microsoft also added, "If only those applications would use our special memory access functions, they wouldn't go overwriting other programs' memory. There's nothing we can do at the OS level to prevent this, so it's up to application developers to do the ritght thing."

Wha? (1)

toadlife (301863) | more than 4 years ago | (#32787600)

Was that meant to be funny?

Re:Wha? (1)

suomynonAyletamitlU (1618513) | more than 4 years ago | (#32787830)

Do you mean, were Microsoft's bad decisions meant to be funny, or did you mean, was the executive summary of Microsoft's bad decisions highlighted at an opportune time with ironic phrasing meant to be funny?

Re:Wha? (1)

BitZtream (692029) | more than 4 years ago | (#32787854)

Guess you don't realize that when MS made that statement it was when most PC owners didn't have a PC with an MMU, so there truely wasn't anything the OS could do about it on the common hardware.

You need VMM support which requires a MMU (on chip or otherwise) in order to actually have protected memory.

Go ahead though, pretend you have a clue, no one will notice.

Re:Wha? (0)

Anonymous Coward | more than 4 years ago | (#32788180)

Your answer is the same answer to the question, "Was your post supposed to illicit jokes on just how stupid you are?" Because I'm feeling spunky today, here you go. The answer is yes.

I can't RTFA (3, Funny)

sproketboy (608031) | more than 4 years ago | (#32787500)

because Its PDF and I don't know if my Adobe reader has DEP so I'm afraid I'll get hacked..... /s

Java? (2, Interesting)

alannon (54117) | more than 4 years ago | (#32787516)

I'd be a bit surprised if Java could take advantage of either of these mechanisms due to the nature of the dynamic compiler and class-loading, without major, major problems. MS probably had to build special mechanisms into the CLR runtime for it to work in .NET.
On the other hand, Java has a reputation of being a pretty bulletproof platform in terms of the exploits that these two mechanisms are designed to protect against.

Re:Java? (1)

benjymouse (756774) | more than 4 years ago | (#32787872)

I'd be a bit surprised if Java could take advantage of either of these mechanisms due to the nature of the dynamic compiler and class-loading, without major, major problems.

It is entirely possible to take advantage of these counter-measures. I believe that Java on BSD does something like copying memory around to support the NX bit and still allow the running process to write new code. The restriction that is enforced is that a memory block cannot be *both* executable *and* writable. It is perfectly ok to write memory and then switch it to executable code.

MS probably had to build special mechanisms into the CLR runtime for it to work in .NET.

No, they just designed .NET to always execute fully compiled. Unlike Java, .NETs "intermediate code" was never intended to be interpreted at runtime. Instead .NET JITs an assembly (dll) before executing. .NET even supports creating assemblies dynamically (no hacks) through Reflection.Emit (no need to save to files and do bytecode manipulation). A dynamic assembly is still compiled fully to machine instructions before execution begins.

On the other hand, Java has a reputation of being a pretty bulletproof platform in terms of the exploits that these two mechanisms are designed to protect against.

Whaaat? Java has an abysmal vulnerability track record, and this exact issue was used in a pwn2own exploit of Windows Vista. Not the OS, but a blended attack through Java and Flash. The attacker took advantage of the fact that Java did not support NX and even string literals was executable. Because the attacker could load perfectly legit looking Java code (but with string literals which - when executed as machine instructions - was actual attack code).

Re:Java? (2, Informative)

BitZtream (692029) | more than 4 years ago | (#32787952)

You simply have to ask for memory that doesn't have the NX bit set when requesting a memory allocation.

Translation: You don't call malloc(), you use VirtualAlloc with the right flags. Then you get a block of memory back that can be executed.

Either way, with interpreted languages, there is no requirement to be able to directly execute the memory. The interpreter is the executing code, reading and basing its execution path based on what the 'compiled' java byte code looks like. Java doesn't compile to native code so theres no reason to need memory without the NX bit.

Of course, it has become common practice to JIT compile the java byte code into native code for performance increases, and thats where you'll need memory that can be executed, but all you have to do is ask for it from the OS.

Emulators and x86 Hypervisors are a good example of uses of memory that needs to be allocated without the NX bit set so it can be directly executed because they try to run the code directly otherwise performance would suck ass.

Either way, the 'special mechanisms' that the CLR uses are available to everyone and have been since before the .NET runtime existed.

People have been able to 'do the right thing' in regards to DEP for at least the last 10 years in Windows.

As far as Java being 'safe from'. This is simply a side effect of the nature of Java. Some of it intentional and a good thing, some of the effects were unexpected, and some of those are good and some are not so good, but thats mostly an issue for debugging bugs in the JVM.

Kernel, not apps (2, Interesting)

Gothmolly (148874) | more than 4 years ago | (#32787842)

DEP should be handled by the operating system, not the apps. This is the philosphy which has made Windows such a mess over the years.

Two words: JIT recompiler (1)

tepples (727027) | more than 4 years ago | (#32787870)

DEP should be handled by the operating system, not the apps.

Some applications still need to be aware of the operating system's DEP facility. (See discussion above [slashdot.org] for why.)

...Did they just say...? (0, Troll)

Zixaphir (845917) | more than 4 years ago | (#32787848)

What the hell is Winamp doing on this list? That was popular, what? 2000? 2001? Is that obsolete program really still relevant?

How Can Google Chrome Be Considered "Safe"... (2, Interesting)

CAOgdin (984672) | more than 4 years ago | (#32787896)

...when it installs itself, in Windows, at %Userprofile%\Application Data\Google Chrome? That is just amateur programming, and is a real beast if you're in an Active Directory environment with Roaming Profiles, 'cause the damn software keeps getting copied to/from the server with ever logon/logoff. I understand Google might consider compliance with separation of programs from their data might be "difficult," but the ease with which any malmare can corrupt Chrome because of it's lack of installation security make Chrome a pariah in our environment, and I've banned it from all our and client computers!

Logical, no? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32788120)

It strikes me that quite a few of these third party programs listed are crossplatform in some form or another. I'm not at all surprised that they don't see the point in implementing a dubious security feature that would only work on recent versions of windows, when they could focus on more important matters.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?