Key Windows 10 Anti-Malware Technology

https://www.extremetech.com/computing/259350-key-windows-10-antimalware-technology-critically-broken

Can our security experts explains the above article in layman terms?

Thanks!
LVL 53
Jackie ManAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
To know ASLR better, it is good that you can catch this.
In practice, the majority of the memory that is allocated by an application will use the bottom-up allocation method, and it is rare to see applications use the based method for allocating memory.

Prior to Windows 8, bottom-up and top-down allocations were not randomized by ASLR.  

Starting with Windows 8, the base address of all bottom-up and top-down allocations is explicitly randomized.  This is accomplished by randomizing the address that bottom-up and top-down allocations start from for a given process.
https://blogs.technet.microsoft.com/srd/2013/12/11/software-defense-mitigating-common-exploitation-techniques/

The problem reported is due to
Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs (without /DYNAMICBASE) to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems
https://www.kb.cert.org/vuls/id/817544

So to mitigate it, can follow the advice by expert earlier on mentioned. It is to enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR.
0
 
McKnifeConnect With a Mentor Commented:
You should use wikipedia for a better understanding of what ASLR is: https://en.wikipedia.org/wiki/Address_space_layout_randomization
To call ASLR "Key Windows 10 Anti-Malware Tech" is a bit too strong in my opinion. ASLR makes it harder for malware to succeed, that's all.

ASLR was incorrectly implemented in win8/8.1 and 10 so that additional bit of attack prevention was not there. MS will patch this, so either wait until next patchday or edit your registry:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Open in new window

(copy to notepad, save as fix.reg, open regedit as administrator, import the fix.reg file).
0
 
Jackie ManAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.