ASLR problem on Windows

Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless.

Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.

ASLR made its debut in OpenBSD, in 2003, and since that time it's been added to all major operating systems, including Linux, Android, macOS, and Windows.

Microsoft added ASLR in Windows with the release of Vista, in 2006. In order to enable the feature, users had to install Microsoft EMET and use its GUI to enable ASLR in system-wide and/or application-specific states.

With the release of the Windows 10, ASLR was added to the Windows Defender Exploit Guard, and users can now enable it via the Windows Defender Security Center (under App & browser control and then Exploit protection settings).

Windows ASLR settings

While looking into a recently disclosed 17-years-old vulnerability affecting the Microsoft Office equation editor, CERT/CC vulnerability analyst Will Dormann discovered that ASLR was not randomizing the memory code locations of application binaries in specific conditions.

ASLR fails because of a modified registry value

According to Dormann, when users turned on system-wide ASLR protection, a bug in the feature's implementation on Windows 8 and later would not generate enough entropy (random data) to start application binaries in random memory locations.

"The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems," Dormann said today in a CERT alert he wrote on the topic.

This is the equivalent of ASLR not being enabled at all, which means users are open to banal code reuse attacks that read an application's memory space and tailor malicious code to target that location every time.

The researcher says this issue affects only Windows 8 and later because Microsoft changed the registry values through which it started ASLR.

Workaround available

Dorman says that users must enable ASLR in a system-wide bottom-up configuration in order for ASLR to work properly.

While Microsoft is expected to fix the issue in a future patch, currently, the only way of starting ASLR in the proper configuration is by tinkering with the Windows Registry. US CERT/CC provided the following workaround.

Step 1: Create a blank text file and enter the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Step 2: Save the file with a .reg extension, for example, ASLR.reg.

Step 3: Open the Windows Registry Editor by searching for "regedit" in your Start menu.

Step 4: Select the File menu option and choose to import the .reg file you just created above.

Windows Registry import feature

Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click.

Related Articles:

Erratic Windows 10 Bug Breaks Changing of Default File Associations

Microsoft Bug is Deactivating Windows 10 Pro Licenses and Downgrading to Home

Windows Defender Bug Needs a Restart, Not Shutdown, To Enable Sandbox

Microsoft Acknowledges Zip File Overwrite Bug - Fix Coming in November

Missing Files, Bugs Reported After Windows 10 October 2018 Update