The former Washington Post IT security writer - whose Krebs on Security blog is read by large numbers of people - says he recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defence built into Microsoft Windows that can help block attacks from hackers and viruses.
As it turns out, he adds, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.
For his tests, Krebs installed trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product's executable files using Microsoft's process Explorer tool.
This, he explained in his security blog, "provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR."
"Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010", he said.
According to Krebs, Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista - although interestingly, it does not invoke DEP on Windows XP.
"Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite", he said, adding that, as an example, McAfee Internet Security's `mcagent.exe' program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASL," he said.
"Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components", he added.
Krebs notes that DEP and ASLR are not panaceas, but that security researchers have come up with a number of clever ways to bypass these protection mechanisms.
"Still, it's interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders", he said.
"Second, anti-virus products are not immune to introducing their own exploitable software flaws", he added.
Because of his findings, Krebs sought comment from all of the anti-virus vendors whose products he examined, with the exception of Microsoft, and received a few responses.
"Most either downplayed the usefulness of the two technologies in combating today's threats, or said that they planned to implement the protections in upcoming releases", he said.
Krebs quotes Mikko Hypponen from F-Secure as saying that adding support for DEP and ASLR in F-Secure's products is on our roadmap, but has not been implemented yet.
This is, he said, "because we've focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel."