
Common Windows apps still without DEP and ASLR - alter8
http://0xdabbad00.com/2012/12/05/finding-slop-common-windows-apps-still-without-dep-and-aslr/
======
justinschuh
This is one of those situations where the author's simplification makes his
assessment dangerously misleading. In the case of DEP+ASLR, there's rarely any
value in doing it partway. If every executable image in your process does not
have DEP+ASLR, then the protection is often worthless because either the
attacker will be able to generate executable pages or will have enough
predictable surface for a ROP chain. However, to make that assessment against
an application you also have to verify what the files are and when/where
they're actually loaded. And of course, you have to look at how the rest of
the application runs to verify it doesn't undermine the protection provided by
ASLR+DEP (e.g. Java historically allocated all memory RWX, making DEP
pointless).

Since I know Chrome well I can use it as an example assessment. The first
thing he mentions is xinput1_3.dll, and he correctly notes that this is used
only when a gamepad is connected. What he doesn't mention is it's used only on
Windows XP, which has no ASLR support. Since DEP is essentially worthless
without ASLR, this file doesn't really have any negative security impact. Of
course, it would be best if this DLL simply had ASLR+DEP enabled, but
unfortunately it's part of Microsoft's DX library and MS doesn't see the point
in changing it (for the reasons I've described).

As for the oddly named installer files, they look like differential updaters,
which are temporary files created during an update. They don't handle any
malicious data because all of the data is embedded in the executable file and
the whole binary's signature is verified before it's run. I'm not sure if
there's something preventing ASLR+DEP on these files. I'd have to check with
the Omaha project <http://code.google.com/p/omaha/> to verify, since they're a
separate project and I just don't know it as well as Chrome.

~~~
yuhong
Not to mention I don't think XP supports /NXCOMPAT anyway.

------
Ironlink
Why look at Firefox 11 when Firefox 17 is the current release? 3 out of 36 is
the current result for Firefox, much better than 13 out of 34.

No DEP, No ASLR: /Mozilla Firefox/maintenanceservice_installer.exe

No DEP, No ASLR: /Mozilla Firefox/webapp-uninstaller.exe

No DEP, No ASLR: /Mozilla Firefox/uninstall/helper.exe

~~~
0xdabbad00
Sorry about that. This is what was on my computer. Apparently the updates have
failed to work (I don't use Windows normally luckily, but that surprised me).
Didn't realize that.

------
huhtenberg
Respective linker flags are:

    
    
      ASLR -> /DYNAMICBASE
      DEP  -> /NXCOMPAT
    

From Wikipedia:

    
    
      Vista, Windows Server 2008, Windows 7, and Windows Server 
      2008 R2 have ASLR enabled by default, although only for 
      those executables and dynamic link libraries specifically 
      linked to be ASLR-enabled.
    

That's by default. You can also force ASLR to be applied to any app by
installing EMET and configuring it respectively -

    
    
      http://www.microsoft.com/en-us/download/details.aspx?id=30424
    

EMET also allows changing DEP protection from Opt-In to Opt-Out, which is
obviously a good thing.

[1] ASLR --
[http://en.wikipedia.org/wiki/Address_space_layout_randomizat...](http://en.wikipedia.org/wiki/Address_space_layout_randomization)

[2] DEP -- <http://en.wikipedia.org/wiki/Data_Execution_Prevention>

~~~
mbrownnyc
Thank you for including EMET. I was about to post about this.

------
hippich
tl;dr: Even common Windows apps with massive user bases are still horrible
about using even the most basic security features. Please use EMET on Windows
to force these protections.

<http://en.wikipedia.org/wiki/Data_Execution_Prevention>

[http://en.wikipedia.org/wiki/Address_space_layout_randomizat...](http://en.wikipedia.org/wiki/Address_space_layout_randomization)

[http://www.microsoft.com/en-
us/download/details.aspx?id=3042...](http://www.microsoft.com/en-
us/download/details.aspx?id=30424)

------
yuhong
"The main binary is unprotected from DEP. Likely for backwards compatibility
with sloppy plugins."

I think IE uses SetProcessDEPPolicy instead of /NXCOMPAT.

------
benmmurphy
DEP might be disabled on java because it breaks the JIT

~~~
kevingadd
DEP doesn't break JITs unless they're written incorrectly. Furthermore, the OP
says that DEP isn't disabled on Java...

