Vulnerability in Windows 10 Anti-Malware Tech

Over a years, Microsoft imparted support for a key malware mitigation technique that makes it tougher for dubious applications to anticipate which code will be running into particular target addresses. This is called ASLR (address space layout randomization), and each and every time it stores data in different locations when the application is running. If your code is full of security defects, ASLR won’t procure it, thus making it little harder to find and exploit. Guess, that is how they are intended to work — but Windows 10, it turns out, has a little problem. It stores the randomized data precisely at the same place, each and every time.

Imagine, every time when the intruder snoops and finds the data at the same place instead of 5 different locations. That’s what is happening here and it is creating a problem for Windows 8 and Windows 10. There is clearly no protection at all.

ASLR can be enabled in two ways one is by using the Visual C++ liner DYNAMICBASE flag, this has the potential to make a difference. The risk involved is when you have to rely on the developer or vendor to secure the code. This is like inviting trouble, and Microsoft tools are like they enforce applications to use ASLR, never mind if they are designed that way or not.

It has been found that Microsoft’s ASLR has failed to implement and activate a key sorting method. Commonly known as “bottom-up ASLR” itself is a method that enables and store data in the same location every time.

According to CERT “Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated but to the same address every time across reboots and even across different systems. Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier.”