Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 8 and Later Fail To Properly Apply ASLR (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Windows 8, Windows 8.1, and subsequent Windows 10 variations fail to properly apply ASLR, rendering this crucial Windows security feature useless. The bug appeared when Microsoft changed a registry value in Windows 8 and occurs only in certain ASLR configuration modes. Basically, if users have enabled system-wide ASLR protection turned on, a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations. For ASLR to work properly, users must configure it to work in a system-wide bottom-up mode. An official patch from Microsoft is not available yet, but a registry hack can be applied to make sure ASLR starts in the correct mode.

The bug was discovered by CERT vulnerability analyst Will Dormann while investigating a 17-years-old bug in the Microsoft Office equation editor, to which Microsoft appears to have lost the source code and needed to patch it manually.

62 comments

  1. Summary fail by Harold+Halloway · · Score: 4, Informative

    WTF is 'ASLR?'

    1. Re:Summary fail by Harold+Halloway · · Score: 2

      (I know the answer to this, btw, but why assume that everyone does?)

    2. Re:Summary fail by freeze128 · · Score: 5, Informative

      Address Space Layout Randomization - A security feature that prevents a certain type of exploit that would jump to a known location in ram to run a subroutine. If code was loaded in random locations, the exploit would not be successful.

    3. Re: Summary fail by Anonymous Coward · · Score: 0

      It's address space layout randomization. It's a way to make software more resilient against attacks that exploit some types of vulnerabilities like buffer overflows.

    4. Re:Summary fail by normanjd · · Score: 2

      Address Space Layout Randomization (ASLR) is a computer security technique that randomizes the memory address where application code is executed.

    5. Re:Summary fail by TechyImmigrant · · Score: 2

      Address Space Layout Randomization

      http://searchsecurity.techtarg...

      This:
      >a bug in ASLR's implementation on Windows 8 and later will not generate enough entropy (random data) to start application binaries in random memory locations.
      is the bit that sounds ridiculous. The CPU has an instruction that delivers full entropy data, 64 bits at a time, available from the execution of the first instruction. How can software "not generate enough entropy"?
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    6. Re:Summary fail by Luthair · · Score: 4, Funny

      Age Sex Location Real?

    7. Re:Summary fail by UnknownSoldier · · Score: 2, Insightful

      Because the "editors" are lazy fucks. Been that way since 1999.

      Apparently it is too much "work" to spell out an acronym the first time it is used.

    8. Re:Summary fail by Luthair · · Score: 1

      This is Slashdot., even if most of the articles are shitty tech blog posts we should still assume readers are nerds.

    9. Re:Summary fail by Anonymous Coward · · Score: 0

      Yeah, sure you know.
      Maybe we assume it because this is fucking slashdot?

    10. Re:Summary fail by Desler · · Score: 2

      (I know the answer to this, btw, but why assume that everyone does?)

      Because this isn’t Digg?

    11. Re:Summary fail by Anonymous Coward · · Score: 0

      Wisdom of the day: "If you don't know or understand what something is, keep away of meddling with it, using it, buying it, bragging about it or touching it. Unless you're a scientist. Then you should do all those things."

    12. Re:Summary fail by Anonymous Coward · · Score: 0

      WTF is 'ASLR?'

      "Asynchronous Subscriber Line Reflux"

    13. Re:Summary fail by rickb928 · · Score: 4, Informative

      It is a best practice to spell out the meaning an acronym when first introduced in a document. I work in a complex corporate environment, and acronyms such as BCP, CEN, RFP, COP, and a host of others mean different things in different contexts. If I get new ones, like CTH, HDT, and IDN regularly, and these happen to mean different things. Stating the meaning up front, and then repeating it as the audience expands, is helpful to many who just don't get out enough.

      And most of the authors are oblivious to the crossovers. I work with a lit of different teams, at different levels, and get exposed to a huge swath of the organization, with all the joyous bleed of functions and ownership that goes with that. Writing for a diverse audience is a challenge.

      FWIW, that acronym is so common here I feel confident I can violate my own style rules, but someone won't readily recognize it. Darn.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    14. Re:Summary fail by Anonymous Coward · · Score: 0

      Please hand in your nerd credentials at the door - thanks

    15. Re: Summary fail by Brockmire · · Score: 0

      And we all passed middle school, right? This is basic fucking writing. I feel like no /. editor had taken grade 8 English in school. If their resumes list any previous writing experience, they should have double checked the references for bullshit. In college, there's technical writing courses. The /. Editors would have failed out first week and make the prof lose his shit. The editors are trolls. They have no interest in doing good work as demonstrated everyday.

    16. Re:Summary fail by Anonymous Coward · · Score: 2, Insightful

      WTF is WTF.

    17. Re: Summary fail by Anonymous Coward · · Score: 0

      And we all passed middle school, right? This is basic fucking writing. I feel like no /. editor had taken grade 8 English in school. If their resumes list any previous writing experience, they should have double checked the references for bullshit.

      In college, there's technical writing courses. The /. Editors would have failed out first week and make the prof lose his shit.

      The editors are trolls. They have no interest in doing good work as demonstrated everyday.

      It seems to me that passing middle school would include an ability to Google for something like "aslr acronym" or even "aslr security" if your reading comprehension is at least sub-par. You guys just enjoy bitching about a whole lot of nothing. The problem is not that the acronym wasn't spelled out. The problem was that you think yourself a techie and don't want to admit that your ignorance was exposed. The standard pride-response is to blame the messenger.

    18. Re:Summary fail by DontBeAMoran · · Score: 1

      You are assuming we are all Microsoft/Windows nerds, which is not the case. But the news could still be relevant if we could know if we need to tell friends or co-workers who might not be up-to-date on the topic being discussed.

      --
      #DeleteFacebook
    19. Re:Summary fail by UnknownSoldier · · Score: 2

      ^^ THIS.

      Where I work we are drowning in a sea of acronyms because no one has any time to explain what the fuck half of them even mean. You are just supposed to learn them by "osmosis" or some other shenanigans after a few years. I've asked managers who have been there 10+ years and even they still don't know some of them.

      One of the biggest (internal) problems we have is that everything is WAY more complicated then it needs to be.

      One of my gaming friends who used to work in the healthcase industry says they have the the exact same problem.

      I don't know what is about tech that causes this attitude. Job security?

      It is like everyone forgot the wisdom of Einstein: "Make things as simple as possible, but not simpler."

      --
      Over-engineering is the enemy of great.

    20. Re:Summary fail by Anonymous Coward · · Score: 0

      Analogue Single Lens Reflex. It's a snooty way of say SLR.

    21. Re:Summary fail by Anonymous Coward · · Score: 0

      Don't worry... it's useless anyway.

      You can just run the system out of memory and reduce any impact it might have had.

    22. Re: Summary fail by Anonymous Coward · · Score: 0

      Fuck if I know what the fuck that is.

    23. Re: Summary fail by Anonymous Coward · · Score: 0

      And, it's not windows only.

    24. Re: Summary fail by Anonymous Coward · · Score: 0

      Objection! You assume facts not in evidence. Do not assume RNG is trustable.

    25. Re:Summary fail by thegarbz · · Score: 1

      You are assuming we are all Microsoft/Windows nerds

      ASLR has nothing to do with Windows. It was introduced 16 years ago in a hardended version of Linux and has been discussed multiple times on Slashdot including the time when it was introduced in Windows, in Linux, in Android, and in iOS.

      There's been multiple stories in the past 2 years with ASLR in the title, not to mention a shitload more with it in the summary.

    26. Re:Summary fail by Anonymous Coward · · Score: 0

      Age Sex Location Race?

      FTFY.

    27. Re:Summary fail by Anonymous Coward · · Score: 0

      Analogy: WTF is virtual memory?

    28. Re: Summary fail by TechyImmigrant · · Score: 1

      Since I was a central member of the team that designed that RNG, I do know it is trustable.

      However you, as an AC are not trustable. What basis do you have for the claim that it isn't trustable?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    29. Re: Summary fail by Anonymous Coward · · Score: 0

      Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

    30. Re:Summary fail by gwjgwj · · Score: 1

      Analog Single-Lens Reflex Camera

    31. Re:Summary fail by Anonymous Coward · · Score: 0

      Well, what the heck IS it? (Remember some people come here to learn things). Fine I'll look it up.

      Address Space Layout Randomization (computer security)

  2. Good thing we all stayed on 7 then by Anonymous Coward · · Score: 0

    Sure would have been a problem if we upgraded!

  3. I'm amazed it took this long to notice by mykepredko · · Score: 2

    Maybe because I'm doing some Windows (7) code development and debug right now, but I would have thought that not having random code locations would have been noticed by application developers as they debugged their code - especially when you're creating threads, looking at the address of the thread start *should* be different each time the application starts, but if it's the same all the time that's an indication that ASLR isn't working.

    Shouldn't this be part of a verification process for a new kernel release? I'm not trying to knock Microsoft here as this is a somewhat esoteric bug, but I would think that the security implications would drive the requirement for verifying that the code resides in a different location on each startup.

    --
    Mimetics Inc. Twitter
    1. Re:I'm amazed it took this long to notice by Anonymous Coward · · Score: 4, Interesting

      Maybe they did notice. Maybe somebody told them that ASLR was making things hard for certain agencies, domestic or foreign. Maybe somebody told them to tell everyone the address space was randomized when in fact it was not.

    2. Re:I'm amazed it took this long to notice by mykepredko · · Score: 1

      Interesting...

      --
      Mimetics Inc. Twitter
    3. Re: I'm amazed it took this long to notice by Anonymous Coward · · Score: 0

      It looks like it was random... but nit having enough entropy means the search space is too small to thwart an attacker.

    4. Re:I'm amazed it took this long to notice by Anonymous Coward · · Score: 0

      Shouldn't this be part of a verification process for a new kernel release? I'm not trying to knock Microsoft here as this is a somewhat esoteric bug,

      oh yes when you have a feature that required coordinated work from both intel and microsoft that is considered by most security people to be a mandatory feature, and then when it doesn't actually work at all, it's an "esoteric bug"

      did the dictionary fall on your head before or after you didn't bother to read it?

    5. Re:I'm amazed it took this long to notice by edtice1559 · · Score: 1

      Many times, these features are disabled in debug builds. But even if ASLR were on, in many application domains, I doubt anybody would notice.

    6. Re: I'm amazed it took this long to notice by Anonymous Coward · · Score: 0

      The locations still move, but in a predictable fashion. Looks random enough to the naked eye to escape casual notice.

    7. Re:I'm amazed it took this long to notice by Anonymous Coward · · Score: 0

      The article says the bug has something to do with not enough entropy. That to me to believe it means that it's not securely random but would still look completely random. i.e. can you tell difference between a truly random number and a pseudo ransom number just by a few examples? of course not, you would have to analyze a huge set to know.

  4. Stick with a real OS by Anonymous Coward · · Score: 1

    iOS

    1. Re: Stick with a real OS by Anonymous Coward · · Score: 0

      Especially latest ios 11.

      People are pissed.

    2. Re:Stick with a real OS by tepples · · Score: 1

      Cisco iOS (used in routers) or BroadOn iOS (used in Wii)?

  5. Debug by JBMcB · · Score: 1

    You wouldn't notice it while debugging because the integrated debugger keeps track of where the code is running. The only way to see ASLR in action is to run the standalone binary without symbols, THEN aim the debugger at it. The function addresses *should* then be different for every run.

    --
    My Other Computer Is A Data General Nova III.
    1. Re:Debug by mykepredko · · Score: 1

      I dunno about that. I'm working on Eclipse Kepler for C/C++ (Build id: 20140224-0627) and I just checked the addresses of different threads over multiple restarts and they are at different addresses.

      --
      Mimetics Inc. Twitter
    2. Re:Debug by 110010001000 · · Score: 1

      My guess is that it isn't truly "random enough".

    3. Re:Debug by CustomBuild · · Score: 1

      I dunno about that. I'm working on Eclipse Kepler for C/C++ (Build id: 20140224-0627) and I just checked the addresses of different threads over multiple restarts and they are at different addresses.

      Do you know the difference between pseudo random and different? Your response implies no.

    4. Re:Debug by mykepredko · · Score: 1

      Golly. You shure use dem big words. You a perfesser?

      Mebbe you kin splain how's a dummy like can tell the difrence?

      --
      Mimetics Inc. Twitter
  6. Agile by 110010001000 · · Score: 4, Funny

    The Agile process would have fixed this sooner. Because unit tests, right? Right. Agile is magic. The must be using a waterfall model which is why the bug was undetected for 8 years.

    1. Re:Agile by Anonymous Coward · · Score: 0

      shut up moron.

    2. Re:Agile by Anonymous Coward · · Score: 1

      "shut up moron."

      Save it for the retrospective.

  7. From the department of redundancy department by edittard · · Score: 0

    if users have enabled system-wide ASLR protection turned on

    As opposed to having disabled system-wide ASLR protection turned on, or enabled system-wide ASLR protection turned off...?

    Were you not taught to write "Its height is six feet" or "It's six feet high" and not "Its height is six feet high" when you were in primary school?

    --
    At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
  8. Wait, Microsoft LOST part of Office's source?! by Anonymous Coward · · Score: 1

    That explains why they never add new features and just bolt on new UI layouts.

    1. Re:Wait, Microsoft LOST part of Office's source?! by Anonymous Coward · · Score: 1

      Equation Editor is a 3rd party component, last released in 2000 and replaced in Office 2007, being kept for compatibility. This probably doesn't have any bearings to 'real' Office source code.

  9. Entropy by JBMcB · · Score: 2

    Yeah, what I gleaned from the article is they re-initialize the entropy pool for the address space randomizer in some predictable way. So the addresses might be different every time, but in a predictable manner.

    --
    My Other Computer Is A Data General Nova III.
  10. Is it so fucking hard? by Anonymous Coward · · Score: 0

    "if users have enabled system-wide ASLR protection turned on"

    Is it so fucking hard to read what was typed even one time before you click the submit button???

  11. Forgot the password to Visual Source Safe again? by filesiteguy · · Score: 2

    I was just telling my manager that rogue lone-wolf programming projects tend to end up with this exact scenario. I am SO copying this article for her.

    --
    The Kai's Semi-Updated Website Thingy
  12. ASLR breaks critical apps by thomn8r · · Score: 1

    ...like the NSA backdoor toolkit

  13. You fucking useless editors by Anonymous Coward · · Score: 2, Interesting

    Here's a better article about the Office patch: https://arstechnica.com/gadgets/2017/11/microsoft-patches-equation-editor-flaw-without-fixing-the-source-code/

    From the article:

    A look at the Equation Editor's embedded version information also gives clues as to why Microsoft had to take this approach in the first place. It's a third-party tool, developed between 1990 and 2000 by a company named Design Science. That company still exists and is still producing equation editing software, but if we were to guess, Microsoft either doesn't have the source code at all or does not have permission to make fixes to it.

    There's no indication that the source code was "lost". They may very well have never had it.

  14. Re:WHait, Microsoft LOST part of Office's source?! by Anonymous Coward · · Score: 0

    Am I glad that new computer upgraded my Windows to version TEN!