ASLR, or address space layout randomisation, is a feature designed to make it more difficult for threat actors to exploit known vulnerabilities like buffer overflows. This is achieved by randomising where in the memory important data is stored, making it much more difficult to target a specific location. However, a bug has been identified that prevents ASLR from working correctly in later versions of Windows.
The US Computer Emergency Response Team (CERT) says that the bug, which applies to Windows 8 and Windows 10, prevents ASLR from randomising every application, if enabled system-wide through Enhanced Mitigation Experience Toolkit (EMET) or Windows Defender Exploit Guard. This is due to a change in how system-wide ASLR is implemented in these versions:
‘This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy', CERT writes. ‘Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomise executables that do not opt in to ASLR.'
Microsoft released EMET to help protect apps that don't opt in to ASLR and other exploit-mitigation techniques, and can work either on specific apps or system-wide. It was replaced by Windows Defender Exploit Guard in the Windows 10 Fall Creators updates.
Security research Will Dormann writes, "Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit Guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems."
CERT currently doesn't have a fix for the problem, but recommends enabling system-wide bottom-up ASLR on systems with system-wide mandatory ASLR.
Facebook told by Brussels-based court to stop tracking non-users and to delete all data held on them
Supply chain and manufacturing experience could give Dyson an important edge
New VR Zone Portal arcades open in London and Tunbridge Wells
Systems-on-a-chip with integrated AI features could make voice and facial recognition