Starting with Vista, Windows comes with Address space layout randomization (ASLR). ASLR is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. There is a bug in Windows 8 and above that makes this technique useless, but you can fix it.
The ASLR (Address Space Layout Randomization) feature was first introduced in Windows Vista. It allows preventing code-reuse attacks. ASLR provides random memory address to execute code.
In Windows 8, Windows 8.1 and Windows 10 the ASLR feature doesn't work properly. Due to wrong configuration defaults, ASLR is not using random memory addresses.
Update: There is an official blog post on Technet that explains the sutiation. Read it here: Clarifying the behavior of mandatory ASLR.
The post says:
The configuration issue is not a vulnerability, does not create additional risk, and does not weaken the existing security posture of applications.
A post on CERT explains the issue in detail.
Both EMET and Windows Defender Exploit Guard enable system-wide ASLR without also enabling system-wide bottom-up ASLR. Although Windows Defender Exploit guard does have a system-wide option for system-wide bottom-up-ASLR, the default GUI value of "On by default" does not reflect the underlying registry value (unset). This causes programs without /DYNAMICBASE to get relocated, but without any entropy. The result of this is that such programs will be relocated, but to the same address every time across reboots and even across different systems.
Thankfully, it is easy to fix the issue.
Fix ASLR in Windows 8, Windows 8.1 and Windows 10
- Open the Registry Editor app.
- Go to the following Registry key.
See how to go to a Registry key with one click.
- On the right, create a new REG_BINARY value named MitigationOptions and set its value data to
- To make the changes done by the Registry tweak take effect, restart Windows 10.
To save your time, you can download the following Registry tweak: