{"id":4315,"date":"2017-11-23T10:41:08","date_gmt":"2017-11-23T09:41:08","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4315"},"modified":"2019-11-28T10:48:38","modified_gmt":"2019-11-28T09:48:38","slug":"windows-8-8-1-10-microsoft-says-aslr-flaw-is-a-feature","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/11\/23\/windows-8-8-1-10-microsoft-says-aslr-flaw-is-a-feature\/","title":{"rendered":"Windows 8\/8.1\/10: Microsoft says ASLR flaw is a feature"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2013\/03\/winb.jpg\" width=\"58\" height=\"58\" align=\"left\" \/>[<a href=\"http:\/\/www.borncity.com\/blog\/2017\/11\/23\/windows-8-8-1-10-aslr-patzer-ist-ein-feature-sagt-microsoft\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]According to Microsoft, the partially not working ASLR memory protection in Windows 8, Windows 8.1 and Windows 10 is not a bug, but simply a feature that has been built in.<\/p>\n<p><!--more--><\/p>\n<p>A few days ago I had the issue within my blog post <a href=\"https:\/\/borncity.com\/win\/2017\/11\/21\/aslr-fails-in-windows-8-8-1-and-10-but-there-is-a-fix\/\">ASLR fails in Windows 8, 8.1 and 10 \u2013 but there is a fix<\/a>. I wrote 'Developers have made a mistake that causes the ASLR mechanism not always work properly in Windows 8, Windows 8.1 and Windows 10.' <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/f7b8a14dcd4a48e297358c078912a854\" alt=\"\" width=\"1\" height=\"1\" \/><a href=\"https:\/\/en.wikipedia.org\/wiki\/Address_space_layout_randomization\">Address Space Layout Randomization (ASLR)<\/a> is a computer security technology designed to make it harder for attackers to exploit a buffer overflow.<\/p>\n<p>CERT\/CC vulnerability analyst Will Dormann discovered that ASLR did not randomly randomize the storage code locations of application binary files under certain conditions. While in Windows 7 and EMET the memory addresses of loaded modules were random by ASLR on restarting Windows, this was no longer the case in Windows 10. Dormann published his findings in a <a href=\"https:\/\/twitter.com\/wdormann\/status\/930916460473577474\">Tweet<\/a>.<\/p>\n<h2>Microsoft disagrees with the analysis<\/h2>\n<p>Microsoft has rejected Will Dormann's analysis. The <a href=\"https:\/\/web.archive.org\/web\/20190419181143\/https:\/\/blogs.technet.microsoft.com\/srd\/2017\/11\/21\/clarifying-the-behavior-of-mandatory-aslr\/\" target=\"_blank\" rel=\"noopener noreferrer\">answer from Microsoft<\/a> is that ASLR works as intended and that the lack of randomization that Will Dormann &#8211; with the support of Matt Miller from Microsoft \u2013 discovered, was a feature and not an error.<\/p>\n<p>In short, ASLR works as intended and the configuration problem described by CERT\/CC only affects applications where the EXE is not choosen ASLR. The configuration problem is not a vulnerability, does not cause additional risk and does not weaken the existing security situation of applications, says Microsoft. They posted the following table.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Microsoft ASLR-Tabelle\" src=\"https:\/\/regmedia.co.uk\/2017\/11\/22\/aslr_table.jpg\" alt=\"Microsoft ASLR-Tabelle\" width=\"585\" height=\"158\" \/><br \/>\nMicrosoft ASLR table, Source: Microsoft<\/p>\n<p>Microsoft said that Dormann's discovery only applied to the case that was colored yellow in the above table and added: \"the entropy of images rebased by mandatory ASLR is inherently reliant on bottom-up randomisation being enabled for the process.\" All details may be found within Microsoft's <a href=\"https:\/\/web.archive.org\/web\/20190419181143\/https:\/\/blogs.technet.microsoft.com\/srd\/2017\/11\/21\/clarifying-the-behavior-of-mandatory-aslr\/\" target=\"_blank\" rel=\"noopener noreferrer\">blog post here<\/a>. (<a href=\"https:\/\/www.theregister.co.uk\/2017\/11\/22\/microsoft_says_aslr_a_feature_not_a_bug\/\" target=\"_blank\" rel=\"noopener noreferrer\">via<\/a>)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]According to Microsoft, the partially not working ASLR memory protection in Windows 8, Windows 8.1 and Windows 10 is not a bug, but simply a feature that has been built in.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[1151,69,194],"class_list":["post-4315","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-aslr","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4315"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4315\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}