- Feb 4, 2016
- 2,520
Windows 8 and Later Fail to Properly Apply ASLR, Here's How to Fix
Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless.
Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.
ASLR made its debut in OpenBSD, in 2003, and since that time it's been added to all major operating systems, including Linux, Android, macOS, and Windows.
Microsoft added ASLR in Windows with the release of Vista, in 2006. In order to enable the feature, users had to install Microsoft EMET and use its GUI to enable ASLR in system-wide and/or application-specific states.
With the release of the Windows 10, ASLR was added to the Windows Defender Exploit Guard, and users can now enable it via the Windows Defender Security Center (under App & browser control and then Exploit protection settings).
While looking into a recently disclosed 17-years-old vulnerability affecting the Microsoft Office equation editor, CERT/CC vulnerability analyst Will Dormann discovered that ASLR was not randomizing the memory code locations of application binaries in specific conditions.
Workaround available
Dorman says that users must enable ASLR in a system-wide bottom-up configuration in order for ASLR to work properly.
While Microsoft is expected to fix the issue in a future patch, currently, the only way of starting ASLR in the proper configuration is by tinkering with the Windows Registry. US CERT/CC provided the following workaround.
Step 1: Create a blank text file and enter the following text:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00
Step 2: Save the file with a .reg extension, for example, ASLR.reg.
Step 3: Open the Windows Registry Editor by searching for "regedit" in your Start menu.
Step 4: Select the File menu option and choose to import the .reg file you just created above.
Optionally, Bleeping Computer has created an ASLR-fix registry fix file that users only need to download and double-click.
Last edited by a moderator: