Security flaw found in Windows malware mitigation system

Posted on Tuesday, November 21 2017 @ 14:12 CET by Thomas De Maesschalck
MSFT logo
Security researchers found a hole in the address space layout randomization (ASLR) system that's used in Microsoft Windows 8 and newer. This is an anti-malware technique that makes it more difficult to perform common exploits by putting data in random memory locations.

Do note that this only applies to software that does not specifically take advantage of ASLR, those apps fall back to system-wide ASLR, but without any entropy. This means their data is written to a predictable address, even across different systems, which defeats the purpose of ASLR. CERT has a security advisory over here.
Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.

...

The Problem
Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.
There's no definite fix yet but CERT does offer a temporary workaround that can be activated via a Windows registry edit.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments