Windows 8 onwards incorrectly implements ASLR security feature, but you can fix it

Since Vista, Windows has included a security feature known as ASLR. Address Space Layout Randomization uses a random memory address to execute code, but in Windows 8, Windows 8.1 and Windows 10 the feature is not always applied properly.

A security analyst discovered that in the last three versions of Windows, ASLR was in fact not using random memory addresses, essentially rendering it useless. The good news is that there is a fix -- but you will have to apply it manually.

The idea behind ASLR is that by executing code in random locations, it helps to protect against exploits that try to take advantage of code being executed in predictable or known memory addresses. But a problem arises if EMET or Windows Defender Exploit Guard is used to enable mandatory ASLR on a system-wide basis.

Security expert Will Dormann explains the issue -- which comes about because of a registry entry -- in a post on CERT:

Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.

The solution is to create a .reg file with the following text:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]


Import this file into the Registry Editor and everything should be sorted.

22 Responses to Windows 8 onwards incorrectly implements ASLR security feature, but you can fix it

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.