Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation: Microsoft


The missing mitigation was flagged by Microsoft in a post mortem of last month’s zero-day attack that hit businesses using the SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP products.

Microsoft originally shipped the mitigation — called ASLR (Address Space Layout Randomization) in Windows Vista back in 2006 as part of a larger plan to make it more difficult to automate attacks against the operating system.

However, according to Microsoft’s newly minted Offensive Research & Security Engineering team, SolarWinds developers failed to enable ASLR compatibility in some modules.