At the FIRST conference last month, Dave Aitel said something to the effect that DEP and ASLR are the only two noteworthy technologies produced by Microsoft since starting their security initiative. Forgive me Dave if I messed that up, and feel free to respond!
I thought that was interesting after reading the post DEP / ASLR Neglected in Popular Programs by Secunia. The figure at left summarizes their findings over time.
The report concludes thus:
DEP and ASLR support, although usually trivial to implement, is overlooked by a large number of application developers. The requirement for an additional call to "SetProcessDEPPolicy()" proved confusing to almost all vendors, resulting in late implementation of DEP when running on Windows XP.
Some developers have over time made their applications compatible with DEP, but overall the implementation process has proven slow and uneven between OS versions. ASLR support is on the other hand improperly implemented by almost all vendors, allowing return-into-libc techniques to likely succeed in their applications or in browsers designed to be otherwise ASLR compliant.
While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.
Hopefully, vendors will see the importance of properly deploying the two measures, resulting in an increased number of third-party applications having full DEP and ASLR support in the near future.
I found the report interesting -- what do you think?