If you use Microsoft EMET on Windows 8.x or Windows 10 machines, or the new Windows Defender Exploit Guard on Windows 10 version 1709, your system may not have been protected properly by a protective feature called Address Space Layout Randomization (ASLR).
Security researcher Will Dormann of the CERT/CC discovered an ASLR implementation issue on Windows 8 and Windows 10 machines.
Microsoft introduced ASLR in Windows Vista to prevent code-reuse attacks by randomizing the addresses that executable files were loaded in on the operating system.
While applications can make use of ASLR directly, Microsoft EMET could be used to add system-wide or application-specific support for ASLR on Windows machines.
Microsoft announced plans to retire Microsoft EMET recently, and added exploit protections to the company’s Windows 10 Fall Creators update version of Windows 10 as a substitution.
According to the disclosure on Cert.org, Microsoft introduced a change in the handling of ASLR. Basically, what Microsoft did was add another requirement so that system-wide ASLR required system-wide bottom-up ASLR as well.
Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.
The effect is problematic from a security point of view as the address of applications becomes predictable even if system-wide ASLR is enabled via EMET or Exploit Guard in Windows 10 Version 1709.
Luckily, there is a workaround for the issue. All that needs to be done is enable ASLR and bottom-up ASLR on the target machine to fix the issue.
Read also: Report: Microsoft working on tab support for Windows 10
Note: It is recommended that you back up the Registry before modifying it. Also note, that importing the value will overwrite any system wide mitigations specified by the Registry value.
This is done by importing the following Registry value:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Managerkernel]
“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00
You can do this the manual way, but it is faster if you create a Registry file and import it instead. We have created the Registry file for you, so that you only have to double-click on it to import the data.
Download it with a click on the following link: aslr.zip
Just extract the downloaded archive, and double-click on the Registry file to import the data in the Registry. You can open the file in any plain text editor first to evaluate what it does before you do so. (via Born City)