Update information
How to obtain this update
The following files are available for download from the Microsoft Download Center:
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Prerequisites
To apply this update, you must be running one of the following operating systems:
- Windows 7
- Windows 7 Service Pack 1 (SP1)
- Windows Server 2008 R2
- Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows 7 or a Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2
Registry information
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 How to back up and restore the registry in Windows
After you install this hotfix, follow these steps:
- Log on to your computer as an administrator.
- Click Start
, type regedit in the Start Search box, and then press Enter. - Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Under the Image File Execution Options folder, locate the name of your application (for example, Myapp.exe). If you cannot find your application:
- Right-click the Image File Execution Options folder and select New Key.
- Right-click the new key and select Rename.
- Edit the key name to the name of your application, for example Myapp.exe.
- Right-click the Myapp.exe folder, select New, and then click QWORD Value.
- Right-click the new key and select Rename. Type MitigationOptions, and then press Enter.
- Click Edit, and then click Modify.
- In the Value data box, type 0x100, and then click OK.
- Exit Registry Editor.
Note If the value is set to 0x300, images with stripped relocations will not load.
Restart requirement
You may have to restart the computer after you apply this update.Update replacement information
This update does not replace a previously released update.File information
More information about ASLR
ASLR is one of the many mitigation technologies which make it difficult and costly for an attacker to exploit vulnerabilities in software. Specifically, ASLR makes the address space layout unpredictable to an attacker. Force ASLR improves the effectiveness of existing ASLR implementations by making it possible to forcibly relocate images that would not generally be randomized by ASLR. This helps to ensure that there are no predictable image mappings in the application’s address space.
urrently ASLR is enabled for any image built by using Microsoft Visual C++ 2008 or a later edition unless the linker flag /DYNAMICBASE:NO is used to opt out. This flag setting tells the linker not to set a special ASLR bit in the final executable image file. For more information about this special linker flag, visit the following Microsoft website:
Executable images that do not have the ASLR bit set will generally load at their preferred base address.For more information about mitigation technologies, visit the following Microsoft website:
How the Image File Execution Options (IFEO) registry entry works
The IFEO registry key path for a particular application on a computer is as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Application Image Name, where the MitigationOptions value setting needs be specified.
This newly introduced IFEO registry entry enables computer administrators and software developers to apply Force ASLR behavior for only the non-ASLR images. The following table summarizes the conditions in which the Force ASLR feature is applied to a binary:
Entropy of images relocated by Force ASLRThe Force ASLR feature does not guarantee a minimum degree of entropy for images that are forcibly relocated. Applications that want to ensure a minimum degree of entropy can implement a form of “bottom-up randomization.” Bottom-up randomization has the effect of randomizing addresses assigned by the bottom-up allocator that is used when it selects a base address for images that are forcibly relocated. Applications can implement bottom-up randomization by reserving a random number of 64 kilobyte (64K) regions by using the
VirtualAlloc function. The maximum number of reserved regions dictates the entropy that will apply to forcibly relocated images.
For more information about the
VirtualAlloc function, visit the following Microsoft website:
Application compatibilityForcibly relocating images that are not built with support for ASLR may cause application compatibility problems. System administrators and software developers are encouraged to thoroughly test applications when enabling the Force ASLR feature.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional file information
