[German]Here is Microsoft's next security glitch. Developers have made a mistake that causes the ASLR mechanism not always work properly in Windows 8, Windows 8.1 and Windows 10. But there's a fix.
Advertising
Address Space Layout Randomization (ASLR) is a computer security technology designed to make it harder for attackers to exploit a buffer overflow. This technique is actually included in all modern operating systems. For Windows Vista, Microsoft has implemented ASLR throughout the entire system for the first time.
Windows 10: ASLR is included in Defender
To enable the feature, users had to install Microsoft EMET on Windows Vista or Windows 7 to enable ASLR in system-wide and/or application-specific states. However, EMET will be discontinued in 2018 and Microsoft has integrated its functions into Windows 10.
In Windows Defender Security Center (accessible via Settings app) under App & browser control and subgroup Exploit protection settings.
A discovery during investigating an Office flaw
A few hours ago I've published the blog post Has Microsoft lost access to parts of Office source code?, where Office Equation editor has been patched. Investigating this vulnerability, CERT/CC vulnerability analyst Will Dormann discovered that ASLR did not randomly randomize the storage code locations of application binary files under certain conditions. While in Windows 7 and EMET the memory addresses of loaded modules were random by ASLR on restarting Windows, this was no longer the case in Windows 10. Dormann published his findings in a Tweet.
Advertising
Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME.
Conclusion: Win10 cannot be enforce ASLR as well as Win7! pic.twitter.com/Jp10nqk1NQ— Will Dormann (@wdormann) 15. November 2017
The erroneous formula editor EQNEDT32. EXE was loaded to the same memory address each time the program was restarted. According to this CERT alert, an incorrect registry entry from Windows 8 (and hence in Windows 8.1 and Windows 10) prevents the reliable use of ASLR.
Fix: Add some registry values
Fortunately, there is a fix to make ASLR work again under Windows 8 – 10. Create a. reg file with the following content:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00Then import this reg file with administrator credentials. This should fix the flaw in Windows ASLR. (via Bleeping Computer)
Addendum: There is a statement from Microsoft – see my blog post Windows 8/8.1/10: Microsoft says ASLR flaw is a feature.
