Well, it turns out that this is a big deal. In fact, it's a really big deal, and it's been blowing up all day.
Por ejemplo, this story by ZDNet:
Key Windows 10 defense is 'worthless' and bug dates back to Windows 8
Microsoft has been telling users to upgrade to Windows 10 because of its superior in-built defenses against attacks, compared with Windows 7. That advice would be true if it properly implemented the defense known as Address Space Layout Randomization (ASLR).
ASLR is used by Android, Windows, Linux, iOS and macOS to prevent attacks that rely on code executing at predictable memory locations by loading programs at random addresses.
It's been used by Microsoft since Windows Vista to counter memory-based attacks. However, Microsoft introduced an error in Windows 8 when implementing a feature known as Force ASLR or system-wide mandatory ASLR.
[...]
"Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat," [Will Dormann of Carnegie Mellon University's CERT/CC] wrote on Twitter.
[...]
Not only is the feature "worthless" in Windows 10, but Windows 7 with EMET actually does a better job of enforcing ASLR than Windows 10, according to Dormann.
"Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot enforce ASLR as well as Win7," he wrote.
"Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier," wrote Dormann in a CERT/CC advisory.
Dormann notes there is no solution to this problem, but has offered a workaround in the advisory that admins can follow.So, not only is this a major bug that Windows 7 doesn't have, but it's been an undetected part of Windows since 2009, and isn't fixed yet in Windows 8 or 10. There's no telling how much damage may already have been done by hackers exploiting this weakness in later Windows versions, even as users of those Windows versions believed themselves to be safer than Windows 7 users... something which simply wasn't true. This comes after a year in which Microsoft has been telling people that Windows 10 was impervious to ransomware, apparently unaware that this vulnerability made it easier for bad actors to target valuable data.
Yikes.
The workaround incidentally, is a registry edit... coincidentally, also the way you can turn off Cortana to safeguard your privacy, but still something which most users are simply not comfortable doing. Or, as ExtremeTech puts it:
As always, we do not recommend mucking about in the registry unless you are certain you know what you’re doing. US-CERT has some additional details on both the problem and this fix available on its website. And yes, Windows 7 users, you get to preen a bit — this problem does not affect your operating system.If you're thinking that US-CERT sounds very governmental, it is: specifically, it's the U.S. Computer Emergency Readiness Team.
Microsoft are apparently aware of the issue... now... and they're working on a fix, although they're denying that this is a vulnerability according to ThreatPost:
Microsoft told Threatpost it acknowledges the issue.
“The issue described by the US-CERT is not a vulnerability. ASLR is functioning as designed and customers running default configurations of Windows are not at increased risk. The US-CERT discovered an issue with configuring non-default settings for ASLR using Windows Defender Exploit Guard and EMET, and provided workarounds. Microsoft is investigating and will address the configuration issue accordingly,” Microsoft said.So, it's not a vulnerability... it just leaves your data more vulnerable to attack. Riiiiight.
It's at this point that I'll remind you that Windows 7 is still in its extended support period, which means that you can stay with its superior implementation of ASLR until at least 2020, if you're into that sort of thing. And while I don't expect that anyone will abandon Windows 10 for Windows 7 over this issue, I must say that this latest black eye for Microsoft, coming so soon after the scaremongering they and their apologists were doing over WannaCry and ransomware just a few months ago, is oddly satisfying. Or maybe not so oddly.