Not all compilers have the /GS compiler option and not all applications are required to be compiled with stack-based buffer overflow protection enabled.

The AA for Windows in FPT_AEX_EXT.1.5 is replaced as follows:

For Windows:  Applications that run as Managed Code in the .NET Framework do not require these stack protections. Applications developed in Object Pascal using the Delphi IDE compiled with RangeChecking enabled comply with this element. For other code, the evaluator shall review the TSS and verify that the /GS flag was used during compilation. The evaluator shall run a tool, like BinScope, that can verify the correct usage of /GS.

See issue description.