ASLR problem on Windows

Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless.

Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.

ASLR made its debut in OpenBSD, in 2003, and since that time it's been added to all major operating systems, including Linux, Android, macOS, and Windows.

Microsoft added ASLR in Windows with the release of Vista, in 2006. In order to enable the feature, users had to install Microsoft EMET and use its GUI to enable ASLR in system-wide and/or application-specific states.

With the release of the Windows 10, ASLR was added to the Windows Defender Exploit Guard, and users can now enable it via the Windows Defender Security Center (under App & browser control and then Exploit protection settings).

Windows ASLR settings

While looking into a recently disclosed 17-years-old vulnerability affecting the Microsoft Office equation editor, CERT/CC vulnerability analyst Will Dormann discovered that ASLR was not randomizing the memory code locations of application binaries in specific conditions.

ASLR fails because of a modified registry value

According to Dormann, when users turned on system-wide ASLR protection, a bug in the feature's implementation on Windows 8 and later would not generate enough entropy (random data) to start application binaries in random memory locations.

"The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems," Dormann said today in a CERT alert he wrote on the topic.

This is the equivalent of ASLR not being enabled at all, which means users are open to banal code reuse attacks that read an application's memory space and tailor malicious code to target that location every time.

The researcher says this issue affects only Windows 8 and later because Microsoft changed the registry values through which it started ASLR.

Workaround available

Dorman says that users must enable ASLR in a system-wide bottom-up configuration in order for ASLR to work properly.

While Microsoft is expected to fix the issue in a future patch, currently, the only way of starting ASLR in the proper configuration is by tinkering with the Windows Registry. US CERT/CC provided the following workaround.

Step 1: Create a blank text file and enter the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Step 2: Save the file with a .reg extension, for example, ASLR.reg.

Step 3: Open the Windows Registry Editor by searching for "regedit" in your Start menu.

Step 4: Select the File menu option and choose to import the .reg file you just created above.

Windows Registry import feature

Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click.

Related Articles:

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug

Exploit Published for Unpatched Flaw in Windows Task Scheduler

Microsoft Confirms Redstone 5 Is Named Windows 10 October 2018 Update

New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations