The US Computer Emergency Response Team (CERT) has issued a warning of a flaw in Windows versions from Windows 8 upwards which can prevent address space layout randomisation (ASLR) from working correctly, leaving systems vulnerable to attack.
First introduced as a feature of OpenBSD, address space layout randomisation (ASLR) aims to make it more difficult for malicious actors to exploit common vulnerabilities like buffer overflows by altering the memory locations in which important data are stored. Where a system without ASLR would always place its kernel memory in the same location, for example, a system with ASLR will place its kernel memory in a random location each time - making it far more difficult for an attacker to target a particular memory location.
Microsoft's implementation of ASLR, present since the release of Windows Vista, has been found to have a flaw which prevents it from working correctly on all versions of Windows from Windows 8 upwards. Security researcher Will Dormann explains: 'Both EMET [Enhanced Mitigation Experience Toolkit] and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR,' he writes in the CERT announcement. 'Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.'
The flaw only affects programs which have not been explicitly written to take advantage of ASLR, and can be easily remedied by users comfortable with registry editing by setting a flag in the MitigationOptions key and rebooting the system.
April 7 2020 | 14:00