Many of the most widely used third-party software applications for Microsoft Windows
do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.
Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista
(and Windows 7
) a feature called address space layout randomization
or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention
(DEP) — first introduced with Windows XP Service Pack 2
back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.
These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia
, half of the third party apps they looked at fail to leverage either feature.