I know very little about ASLR. Anyone care to comment on possible reasons why Dropbox would disable it?
I find it hard to believe that this is a deliberate attempt to weaken client-side security, so its more likely that they are using some legacy code that is somehow incompatible with ASLR. But ASLR has been in Windows since 2007, pre-dating Dropbox by about a year, so they either developed ASLR-incompatible code after the feature was live or the problem is in a third-part component.
Any other explanations? What problems can ASLR cause?
if a single dll loaded by dropbox hasn't been compiled with /DYNAMICBASE to instruct the OS to allow ASLR, Dropbox will have some reliable memory addresses available to an attacker, often defeating the purpose of using it on anything.
I understand about the /DYNAMICBASE flag, but I has hoping to understand why they would choose to not set it.
My assumption is that they disabled it for stability/reliability reasons that are specific to their application, and I was further hoping to understand what kind of bugs could be triggered by having ASLR enabled. I've written plenty of C and C++ over many years and can't think of any bugs that I've introduced or found where assumptions about address place layout were involved.
Since we're talking about Windows, I assume they're using Visual Studio and its linker.
I find it hard to believe that this is a deliberate attempt to weaken client-side security, so its more likely that they are using some legacy code that is somehow incompatible with ASLR. But ASLR has been in Windows since 2007, pre-dating Dropbox by about a year, so they either developed ASLR-incompatible code after the feature was live or the problem is in a third-part component.
Any other explanations? What problems can ASLR cause?