Dropbox disables ASLR on Windows

ASLR = Address Space Layout Randomization<p><a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Address_space_layout_randomiza...</a>

&quot;Dropbox&quot; and &quot;Security&quot; are pretty much opposing terms. Remember this is the same company that when faced with a login bug, chose to disable password authentication so that anyone could log in as anyone else instead of shutting the service down until it was fixed.

&gt; Update: Brad “spender” Spengler (of grsec fame) has noted that the latest version of Dropbox has ASLR enabled for the 64-bit DLL, but still doesn’t on 32-bit.<p>For those particularly worried.<p>Still disturbing, but this seems to point to technical concerns.

That&#x27;s very bad. It&#x27;s been a long battle to stomp out ASLR-breaking modules from browsers. Vendors who do this undermine all of that.

Comments from &#x2F;r&#x2F;netsec thread here: <a href="http://www.reddit.com/r/netsec/comments/1m25gi/installing_dropbox_prepare_to_lose_aslr/" rel="nofollow">http:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;netsec&#x2F;comments&#x2F;1m25gi&#x2F;installing_dr...</a>

I know very little about ASLR. Anyone care to comment on possible reasons why Dropbox would disable it?<p>I find it hard to believe that this is a deliberate attempt to weaken client-side security, so its more likely that they are using some legacy code that is somehow incompatible with ASLR. But ASLR has been in Windows since 2007, pre-dating Dropbox by about a year, so they either developed ASLR-incompatible code after the feature was live or the problem is in a third-part component.<p>Any other explanations? What problems can ASLR cause?

Why is it even possible for DLLs&#x2F;applications to disable ASLR by themselves, shouldn&#x27;t that be decision for the OS or admin?

Interesting. The option &#x2F;DYNAMICBASE seems to be the default (to support ASLR). Which means they explicitly disabled it. Wonder why? Are they doing something that needed ASLR to be off?

So it doesn&#x27;t disable ASLR outside of this dll, right? The process is already loaded; it can&#x27;t un-randomize.

It seems like git-cheetah and the 7-Zip shell extension exhibit the same problem. MinGW doesn&#x27;t enable ASLR by default, which might be the reason for that.

how about less acronyms?

I have always suspected dropbox was a rootkit trojan. Ever since the founder said that it was open to sifting through users data for copyright violations.

What&#x27;s most worrying about this is that Dropbox is injecting itself into processes like NotePad++ and Firefox that have nothing to do with shell extensions.<p>Either this is lazy coding, or there is some malicious intent to spy.