Microsoft urges developers to design threat mitigations into software

Microsoft has called on developers of consumer software to ensure that more of them use the exploit mitigations outlined in the company's Security Development Lifecycle (SDL) initiative in order to architect more secure products.

The wide ranging SDL Progress Report released today covers the seven-year history of the SDL, Microsoft's attempt to create a "security assurance process that focuses on software development and introduces security and privacy throughout all phases of the development process".

Nearly 60 per cent of software is open to attack, according to figures released last year by application security vendor Veracode.

Although implemented internally since 2004, Microsoft wants the software industry as a whole to use the SDL to help build more secure products from the ground up, rather than adding in security testing processes at the end of development which is more costly and ineffective.

To this end, the report calls on developers to take more time to build into their software two key threat mitigations: address space layout randomisation (ASLR) and data execution prevention (DEP).

"Including exploit mitigations in applications and enabling them by default makes it possible to provide generic protection for vulnerabilities that are known or may currently be unknown," the report explained.

However, when Microsoft surveyed the DEP and ASLR settings in the latest versions of 41 top consumer applications, it found that 71 per cent of the applications fully enabled support for DEP but only a third fully enabled support for ASLR.

To enable support for ASLR, an application must link all its executable images (EXEs or DLLs) with the /DYNAMICBASE flag. This tells the applicable versions of the Windows OS that an image is ASLR-aware, Microsoft said.

"All of the web browser clients that were surveyed fully enable support for ASLR. Unfortunately, 70 per cent of the surveyed browser plug-ins did not, which means that, although ASLR should be effective in default browser installations, the presence of browser plug-ins is likely to weaken ASLR," the report noted.

"A second observation is that only one of the five security products included in this analysis fully enabled support for ASLR. This is noteworthy given that security products are inherently exposed to untrusted data and the limited adoption of ASLR might therefore make it easier for attackers to exploit vulnerabilities in security products."

Microsoft is providing detailed guidance for software vendors on how to enable exploit mitigations in their products.

"Surveying popular consumer applications has shown that, although many applications enabled DEP, the majority did not fully enable ASLR," the report concluded.

"To improve on this situation, software vendors need to make a concerted effort to enable these and other mitigation technologies in their products."