if a single dll loaded by dropbox hasn't been compiled with /DYNAMICBASE to instruct the OS to allow ASLR, Dropbox will have some reliable memory addresses available to an attacker, often defeating the purpose of using it on anything.
I understand about the /DYNAMICBASE flag, but I has hoping to understand why they would choose to not set it.
My assumption is that they disabled it for stability/reliability reasons that are specific to their application, and I was further hoping to understand what kind of bugs could be triggered by having ASLR enabled. I've written plenty of C and C++ over many years and can't think of any bugs that I've introduced or found where assumptions about address place layout were involved.
Since we're talking about Windows, I assume they're using Visual Studio and its linker.
Perhaps they're using an old or unusual linker?