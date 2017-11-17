Windows 8 and Later Fail To Properly Apply ASLR (bleepingcomputer.com) 21
An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.
The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.
Summary fail
WTF is 'ASLR?'
WTF is 'ASLR?'
(I know the answer to this, btw, but why assume that everyone does?)
Because the "editors" are lazy fucks. Been that way since 1999.
Apparently it is too much "work" to spell out an acronym the first time it is used.
(I know the answer to this, btw, but why assume that everyone does?)
Because this isn't Digg?
Because this isn’t Digg?
Address Space Layout Randomization
http://searchsecurity.techtarg... [techtarget.com]
This:
>a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations.
is the bit that sounds ridiculous. The CPU has an instruction that delivers full entropy data, 64 bits at a time, available from the execution of the first instruction. How can software "not generate enough entropy"?
I'm amazed it took this long to notice (Score:2)
Maybe because I'm doing some Windows (7) code development and debug right now, but I would have thought that not having random code locations would have been noticed by application developers as they debugged their code - especially when you're creating threads, looking at the address of the thread start *should* be different each time the application starts, but if it's the same all the time that's an indication that ASLR isn't working.
Shouldn't this be part of a verification process for a new kernel relea
Interesting...
Debug (Score:2)
You wouldn't notice it while debugging because the integrated debugger keeps track of where the code is running. The only way to see ASLR in action is to run the standalone binary without symbols, THEN aim the debugger at it. The function addresses *should* then be different for every run.