Will Dormann of Carnegie Mellon University’s CERT/CC says the Address Space Layout Randomization (ASLR) feature is not doing its job. He says the feature has been available since Windows 8.0 but does not work properly. ASLR is a defense that prevents code executed attacks on predictable memory locations on an operating system. It does this by literally randomizing program load addresses. The feature is a mainstay across Windows, Linux, Android, iOS and MacOS. Microsoft first employed it in Windows Vista to prevent memory-based attacks. For Windows 8, the company believed it was improving on ASLR with its Force ASLR ability. This allowed randomized executables even when applications don’t natively support ASLR.
— Will Dormann (@wdormann) November 16, 2017 The new feature was bundled in to Microsoft Enhanced Mitigation Experience Toolkit (EMET). However, this key security selling point has held an important error all this time. Dormann points out that the feature is relocating programs to the same address instead of randomizing them. “Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat,” Dormann showed on Twitter.
Windows 7 is Safer
Dormann says he found the fault while looking into the newly found Microsoft Equation Editor vulnerability (EQNEDT32.EXE). Admins could force ASLR on EQNEDT32.EXE by enabling system-wide ASLR in EMET. Because Force ASLR is not functioning as it should, Dormann says Windows 7 users with EMET and ASLR are getting a more complete protection than Windows 10 users. “Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot enforce ASLR as well as Win7.” “Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier,” wrote Dormann in a CERT/CC advisory.
