Windows 8, 8.1 and 10 incorrectly implement ASLR security feature

Costea Lestoc By: Costea Lestoc
2 minute read

Windows Vista brought an interesting security feature called ASLR – Address Space Layout Randomization. This uses a random memory address to execute code, but in Windows 8, Windows 8.1 and Windows 10, it seems that this feature doesn’t always implement correctly.

According to a security analyst, in these three last versions of Windows, ASLR is not using random memory addresses. In other words, it’s useless.

How to implement ASLR manually

By executing code in a random location, ASLR helps protect against exploits that you try to take advantage of code that is executed in predictable or known memory addresses.

The problem appears when EMET or Windows Defender Exploit Guard is used to enable mandatory ASLR on a system-wide basis.

The security expert who studied the issue is Will Dormann, and he explains everything you need to know about the issue that comes because of a registry entry.

According to Dormann, both Windows Defender Exploit Guard and EMET enable system-wide ASLR without also enabling system-wide bottom-up ASLR.

Even if Windows Defender Exploit Guard has a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” doesn’t reflect the underlying registry value.

This will lead to the fact that programs without /DYNAMICBASE to get relocated without an entropy. The programs will be transferred to the same address every time across reboots and across different systems.

The solution is that you have to create a .reg file with the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]

“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,0,00,00

Then, you have to import this file into the Registry Editor, and everything should be sorted out.

Some users are stating that the problem stems from the EMET and its replacement which is a tool for sysadmins who “have too much time on their hands” and that was discontinued without a replacement. They don’t think that the problem is with the underlying ASLR system.

RELATED STORIES TO CHECK OUT:

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patented Technologies (requires upgrade).

Discussions

Next up

Mozilla adds alerts about recently breached sites into Firefox browser

Giles Ensor avatar. By: Giles Ensor
3 minute read

Firefox has announced that it will start to warn users if they visit any breached sites. This is in an attempt to not only make […]

Continue Reading

More uncertainty for Microsoft’s Windows 10 October Update

Giles Ensor avatar. By: Giles Ensor
3 minute read

Oh dear. It’s been a pretty bad month for Microsoft concerning its Windows 10 October 1809 Update release. Microsoft eventually released the update a couple […]

Continue Reading

Confirmed: Microsoft now accepting ARM64 apps on its Store

Giles Ensor avatar. By: Giles Ensor
2 minute read

Yesterday, Microsoft released Visual Studio 15.9. With it came the announcement that “developers now have the officially supported SDK and tools for creating 64-bit ARM […]

Continue Reading