Windows 8 and Later Fail To Properly Apply ASLR (bleepingcomputer.com) 62
An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.
The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.
The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.
Summary fail (Score:5, Informative)
WTF is 'ASLR?'
Re: (Score:3)
(I know the answer to this, btw, but why assume that everyone does?)
Re: (Score:3, Insightful)
Because the "editors" are lazy fucks. Been that way since 1999.
Apparently it is too much "work" to spell out an acronym the first time it is used.
Re:Summary fail (Score:5, Informative)
It is a best practice to spell out the meaning an acronym when first introduced in a document. I work in a complex corporate environment, and acronyms such as BCP, CEN, RFP, COP, and a host of others mean different things in different contexts. If I get new ones, like CTH, HDT, and IDN regularly, and these happen to mean different things. Stating the meaning up front, and then repeating it as the audience expands, is helpful to many who just don't get out enough.
And most of the authors are oblivious to the crossovers. I work with a lit of different teams, at different levels, and get exposed to a huge swath of the organization, with all the joyous bleed of functions and ownership that goes with that. Writing for a diverse audience is a challenge.
FWIW, that acronym is so common here I feel confident I can violate my own style rules, but someone won't readily recognize it. Darn.
Re: (Score:3)
^^ THIS.
Where I work we are drowning in a sea of acronyms because no one has any time to explain what the fuck half of them even mean. You are just supposed to learn them by "osmosis" or some other shenanigans after a few years. I've asked managers who have been there 10+ years and even they still don't know some of them.
One of the biggest (internal) problems we have is that everything is WAY more complicated then it needs to be.
One of my gaming friends who used to work in the healthcase industry says the
Re: (Score:2)
Re: Summary fail (Score:1)
Re: (Score:2)
You are assuming we are all Microsoft/Windows nerds, which is not the case. But the news could still be relevant if we could know if we need to tell friends or co-workers who might not be up-to-date on the topic being discussed.
Re: (Score:2)
You are assuming we are all Microsoft/Windows nerds
ASLR has nothing to do with Windows. It was introduced 16 years ago in a hardended version of Linux and has been discussed multiple times on Slashdot including the time when it was introduced in Windows, in Linux, in Android, and in iOS.
There's been multiple stories in the past 2 years with ASLR in the title, not to mention a shitload more with it in the summary.
Re: (Score:2)
(I know the answer to this, btw, but why assume that everyone does?)
Because this isn’t Digg?
Re:Summary fail (Score:5, Informative)
Re: (Score:2)
Re: (Score:3)
Address Space Layout Randomization
http://searchsecurity.techtarg... [techtarget.com]
This:
>a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations.
is the bit that sounds ridiculous. The CPU has an instruction that delivers full entropy data, 64 bits at a time, available from the execution of the first instruction. How can software "not generate enough entropy"?
Re: (Score:2)
Since I was a central member of the team that designed that RNG, I do know it is trustable.
However you, as an AC are not trustable. What basis do you have for the claim that it isn't trustable?
Re:Summary fail (Score:5, Funny)
Re: (Score:2, Insightful)
WTF is WTF.
Re: (Score:1)
I'm amazed it took this long to notice (Score:3)
Maybe because I'm doing some Windows (7) code development and debug right now, but I would have thought that not having random code locations would have been noticed by application developers as they debugged their code - especially when you're creating threads, looking at the address of the thread start *should* be different each time the application starts, but if it's the same all the time that's an indication that ASLR isn't working.
Shouldn't this be part of a verification process for a new kernel release? I'm not trying to knock Microsoft here as this is a somewhat esoteric bug, but I would think that the security implications would drive the requirement for verifying that the code resides in a different location on each startup.
Re:I'm amazed it took this long to notice (Score:4, Interesting)
Maybe they did notice. Maybe somebody told them that ASLR was making things hard for certain agencies, domestic or foreign. Maybe somebody told them to tell everyone the address space was randomized when in fact it was not.
Re: (Score:2)
Interesting...
Debug (Score:2)
You wouldn't notice it while debugging because the integrated debugger keeps track of where the code is running. The only way to see ASLR in action is to run the standalone binary without symbols, THEN aim the debugger at it. The function addresses *should* then be different for every run.
Re: (Score:2)
I dunno about that. I'm working on Eclipse Kepler for C/C++ (Build id: 20140224-0627) and I just checked the addresses of different threads over multiple restarts and they are at different addresses.
Re: (Score:2)
Entropy (Score:3)
Yeah, what I gleaned from the article is they re-initialize the entropy pool for the address space randomizer in some predictable way. So the addresses might be different every time, but in a predictable manner.
Re: (Score:1)
I dunno about that. I'm working on Eclipse Kepler for C/C++ (Build id: 20140224-0627) and I just checked the addresses of different threads over multiple restarts and they are at different addresses.
Do you know the difference between pseudo random and different? Your response implies no.
Re: (Score:2)
Golly. You shure use dem big words. You a perfesser?
Mebbe you kin splain how's a dummy like can tell the difrence?
Re: (Score:2)
Stick with a real OS (Score:1)
iOS
Re: (Score:2)
Cisco iOS (used in routers) or BroadOn iOS [hackmii.com] (used in Wii)?
Agile (Score:5, Funny)
Re: (Score:1)
"shut up moron."
Save it for the retrospective.
From the department of redundancy department (Score:1)
As opposed to having disabled system-wide ASLR protection turned on, or enabled system-wide ASLR protection turned off...?
Were you not taught to write "Its height is six feet" or "It's six feet high" and not "Its height is six feet high" when you were in primary school?
Wait, Microsoft LOST part of Office's source?! (Score:1)
That explains why they never add new features and just bolt on new UI layouts.
Re: (Score:1)
Equation Editor is a 3rd party component, last released in 2000 and replaced in Office 2007, being kept for compatibility. This probably doesn't have any bearings to 'real' Office source code.
Forgot the password to Visual Source Safe again? (Score:3)
ASLR breaks critical apps (Score:2)
You fucking useless editors (Score:2, Interesting)
Here's a better article about the Office patch: https://arstechnica.com/gadgets/2017/11/microsoft-patches-equation-editor-flaw-without-fixing-the-source-code/
From the article: