US CERT has issued a warning on a vulnerability in Windows’ Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10 which could an attacker to take control of an affected system.
CERT’s Will Dormann wrote in Vulnerability Note #817544 that both the Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard without also enabling system-wide bottom-up ASLR. ASLR is designed to prevent code-reuse attacks by loading modules in non-predictable addresses, however, the default setting for Windows Defender Exploit Guard GUI is « On by default » and does not reflect the underlying registry value (unset) resulting in programs being relocated to the same address even if the computer is rebooted.
“Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier,” Dormann wrote.
To read the original article: