ASLR behavior in Windows 10 is a feature : Microsoft

We recently reported about an ASLR flaw that was discovered by a security researcher named Will Dormann of Carnegie Mellon University.

He said :

Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of “On by default” does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated but to the same address every time across reboots and even across different systems.

But in an answer to Dormann’s claims, Microsoft’s Matt Miller says this in a blog post named Clarifying the behavior of mandatory ASLR :

In short, ASLR is working as intended and the configuration issue described by CERT/CC only affects applications where the EXE does not already opt-in to ASLR. The configuration issue is not a vulnerability, does not create additional risk, and does not weaken the existing security posture of applications.

CERT/CC did identify an issue with the configuration interface of Windows Defender Exploit Guard (WDEG) that currently prevents system-wide enablement of bottom-up randomization. The WDEG team is actively investigating this and will address the issue accordingly.

ASLR or Address Space Layout Randomization is used to randomize the memory addresses used by exe files and DLL files so that an attacker can’t take an advantage of a memory overflow.

To verify the ASLR working on your machine, run this (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) utility tool by Microsoft.