A technique called Address Space Layout Randomisation (ASLR) is used in Windows operating systems for preventing code reuse attacks and researchers at CERT have discovered a flaw in its implementation which renders it pointless on devices running Windows 8 and Windows 10. The feature was first introduced in Windows Vista but is also implemented on Windows 8 and above for safeguarding operating systems against memory based or code reuse attacks.
The ASLR feature is a memory-protection process for operating systems. It protects against buffer-overflow attacks by loading system executable programs at random addresses. According to the CERT report, in Windows 8 and above, the ASLR feature is enabled via Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard (WDEG). The feature is rendered worthless as EMET and WDEG can limit the support for ASLR in specific applications.
The report further states that even though WDEG implements the ASLR feature, the executable programs are relocated, but to the same address every time across reboots and even across different systems. This allows an attacker to target important data if one uses Microsoft EMET or WDEG on machines running Windows 8 or Windows 10.
The report states, “This change (in system-wide ASLR implementation) requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomise executables that do not opt-in to ASLR.” CERT says that there is no current solution for the vulnerability but recommends a workaround to enable system-wide bottom-up ASLR on systems with system-wide mandatory ASLR.
The CERT report was written by Will Dormann who tweeted, “Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat.”
Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat. More details to come...https://t.co/xMR5qIKVGH — Will Dormann (@wdormann) November 16, 2017