US CERT issues warning on ASLR vulnerability in Windows

News by Doug Olenick

US CERT has issued a warning on a vulnerability in Windows' Address Space Layout Randomisation (ASLR) that affects Windows 8, Windows 8.1, and Windows 10 which could allow an attacker to take control of an affected system.

Also in:

US CERT has issued a warning on a vulnerability in Windows' Address Space Layout Randomisation (ASLR) that affects Windows 8, Windows 8.1, and Windows 10 which could an attacker to take control of an affected system.

CERT's Will Dormann wrote in Vulnerability Note #817544 that both the Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard without also enabling system-wide bottom-up ASLR. ASLR is designed to prevent code-reuse attacks by loading modules in non-predictable addresses, however, the default setting for Windows Defender Exploit Guard GUI is "On by default" and does not reflect the underlying registry value (unset) resulting in programs being relocated to the same address even if the computer is rebooted.

“Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier,” Dormann wrote.

There is no solution at this time, but Microsoft is investigating the issue.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events