Microsoft’s anti-exploitation technology has a flaw that makes it “worthless” in some cases.
Microsoft has been telling users to upgrade to Windows 10 because of its superior in-built defenses against attacks, compared with Windows 7. That advice would be true if it properly implemented the defense known as Address Space Layout Randomization (ASLR).
ASLR is used by Android, Windows, Linux, iOS and macOS to prevent attacks that rely on code executing at predictable memory locations by loading programs at random addresses.
It’s been used by Microsoft since Windows Vista to counter memory-based attacks. However, Microsoft introduced an error in Windows 8 when implementing a feature known as Force ASLR or system-wide mandatory ASLR.
This feature is meant to randomize executables even if an application hasn’t enabled support for ASLR. It can be switched on through Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). As of the Windows 10 Fall Creators Update, EMET became part of Windows Defender Exploit Guard (WDEG).
But as Will Dormann of Carnegie Mellon University’s CERT/CC discovered, enabling system-wide ASLR in Windows 8 and newer only does half the job it’s meant to, resulting in programs being relocated but to the same address every time.
Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat,” Dormann wrote on Twitter.
Dormann made the discovery while researching the recently discovered vulnerability stemming from Microsoft Equation Editor, or EQNEDT32.EXE, which was compiled 17 years ago, long before ASLR was supported on Windows.
In theory, an admin could force ASLR on EQNEDT32.EXE by enabling system-wide ASLR in EMET or WDEG.
Not only is the feature “worthless” in Windows 10, but Windows 7 with EMET actually does a better job of enforcing ASLR than Windows 10, according to Dormann.
“Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot enforce ASLR as well as Win7,” he wrote.
“Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier,” wrote Dormann in a CERT/CC advisory.
Dormann notes there is no solution to this problem, but has offered a workaround in the advisory that admins can follow.
ZDNet has contacted Microsoft for its comments and will update this story if it receives a response.
System-wide ASLR is not as random as it’s supposed to be, locating programs to the same address every time. Image: Will Dormann