Key Windows 10 Anti-Malware Technology

https://www.extremetech.com/computing/259350-key-windows-10-antimalware-technology-critically-broken

Can our security experts explains the above article in layman terms?

Thanks!
LVL 53
Jackie ManIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
You should use wikipedia for a better understanding of what ASLR is: https://en.wikipedia.org/wiki/Address_space_layout_randomization
To call ASLR "Key Windows 10 Anti-Malware Tech" is a bit too strong in my opinion. ASLR makes it harder for malware to succeed, that's all.

ASLR was incorrectly implemented in win8/8.1 and 10 so that additional bit of attack prevention was not there. MS will patch this, so either wait until next patchday or edit your registry:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
“MitigationOptions”=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

Open in new window

(copy to notepad, save as fix.reg, open regedit as administrator, import the fix.reg file).
0
btanExec ConsultantCommented:
To know ASLR better, it is good that you can catch this.
In practice, the majority of the memory that is allocated by an application will use the bottom-up allocation method, and it is rare to see applications use the based method for allocating memory.

Prior to Windows 8, bottom-up and top-down allocations were not randomized by ASLR.  

Starting with Windows 8, the base address of all bottom-up and top-down allocations is explicitly randomized.  This is accomplished by randomizing the address that bottom-up and top-down allocations start from for a given process.
https://blogs.technet.microsoft.com/srd/2013/12/11/software-defense-mitigating-common-exploitation-techniques/

The problem reported is due to
Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs (without /DYNAMICBASE) to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems
https://www.kb.cert.org/vuls/id/817544

So to mitigate it, can follow the advice by expert earlier on mentioned. It is to enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jackie ManIT ManagerAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.