Windows applications running on numerous Linux distributions are vulnerable because of a problem in the Linux compiling tool for building apps. Mingw-w64 or Minimalist GNU for Windows for 64-bit PCs are not implementing Microsoft’s address space layout randomization (ASLR) mitigation.

If you are unfamiliar with ASLR, it is a defence that prevents code executed attacks on predictable memory locations on an operating system. It does this by literally randomizing program load addresses. The feature is a mainstay across Windows, Linux, Android, iOS and MacOS.

Carnegie Mellon University’s computer emergency response team (CERT/CC) says “mingw-w64 produces executable Windows files without a relocations table by default, which breaks compatibility with ASLR”.

It is worth pointing out that CERT/CC has hardly embraced ASLR in the past. Indeed, CERT researcher Will Dormann said last year “Starting with Windows 8.0, system-wide mandatory ASLR (enabled via EMET) has zero entropy, essentially making it worthless. Windows Defender Exploit Guard for Windows 10 is in the same boat.”

Dormann is the researcher discussing the lack of ASLR in Linux distributions. He says for five years developers have been using mingw-w64 to create Windows executable. These should all be compatible with the ASLR mitigation. However, that is not the case because a necessary “relocations table” is missing.

Easy Access

As a result, many vulnerabilities will be easier to exploit within Windows apps on Linux. Dormann explains while appearing to have ASLR, executables are actually lacking the mitigation:

“For ASLR to function, Windows executables must contain a relocations table. Despite containing the ‘Dynamic base’ PE header, which indicates ASLR compatibility, Windows executables produced by mingw-w64 have the relocations table stripped from them by default. This means that executables produced by mingw-w64 are vulnerable to return-oriented programming (ROP) attacks.”

CERT/CC says the flaw can be found in many leading Linux distribution. Among those affected are Debian, Red Hat, Ubuntu, SUSE Linux, Arch Linux, CentOS, and many more. Researchers say they notified the software vendors in late July and are awaiting a response.