Secunia sampled 16 of the most popular third-party Windows apps to study how or if they supported Microsoft's and ASLR, and found that half of these apps don't use them at all.
The apps analyzed were Adobe Flash Player, Sun Java JRE, Adobe Reader, Mozilla Firefox, Apple QuickTime Player, VLC Media Player, Apple iTunes, Google Chrome, Adobe Shockwave Player, OpenOffice.org, Google Picasa, Foxit Reader, Opera, Winamp, RealPlayer, and Apple Safari. Among those, QuickTime, Foxit Reader, Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and Winamp do not use Microsoft's DEP and ASLR.
DEP helps quell code execution in nonexecutable memory and was one of the key defenses against the original Operation Aurora exploit code. ASLR basically protects the system from an exploit attempting to call a system function by placing code in random areas of memory and making it more difficult for an attacker to run malware on a machine.
Thomas Kristensen, CSO at Secunia, says he was surprised that these key Windows apps weren't taking advantage of the Microsoft security features. "That such popular, high-profile products -- some of which has been active exploited recently -- aren't doing more to secure their users" was surprising, he says. "Using DEP/ASLR is a cheap and easy way to make exploitation significantly more difficult."
And all of these apps also have recently discovered memory-corruption vulnerabilities that allow for code execution, he says.
Meanwhile, several of these vendors plan to implement DEP and ASLR, but in the interim their apps remain more exposed. "It is much easier to exploit vulnerabilities in a reliable and consistent manner" without DEP and ASLR, Kristensen says.