Date: 12/22/06 (Mozilla)    Keywords: browser, web

I was playing around with Process Explorer, and apparently it allows you to view the Data Execution Prevention status of running processes. Pretty useless, I thought, since I have Data Execution Prevention turned on for all processes. I have no exclusions specified, and have selected "Turn on DEP for all programs and services except those I select"...

However, despite this, Firefox shows up with DEP status "Off"... It is the only process on my system that does this. I have an Opteron 170 processor (identical to an Athlon64 X2) which supports hardware DEP mode. If an application can simply opt out of data execution prevention despite its being hardware supported and supposedly forced by the OS, it really weakens the protection Especially when the application is a web browser, which is probably the most vulnerable application on the entire system to buffer overflow attacks (which is what DEP is designed to prevent).

I checked out of curiousity, and ThunderBird also comes up with DEP disabled. I have not found any other applications that disable this protection feature.

So, I'm kinda miffed that the supposed "secure" browser has opted out of Data Execution Prevention. Any particular reason/explanation for this?

I have included a screenshot that will show that it is indeed disabled, and I do indeed have DEP enabled on my system.

Source: http://community.livejournal.com/mozilla/380102.html