IE8 Security Part I: DEP/NX Memory Protection

  • [アーティクル]

Hi, I’m Eric Lawrence from the Internet Explorer Security Team. With the RSA security conference kicking off this week, I wanted to start sharing more information about the security features and benefits of Internet Explorer 8 Beta 1. Over the next several weeks, we’ll blog in greater detail about some of the security improvements in Beta 1, such as the new Safety Filter, greater control over ActiveX controls, and new AJAX features for safer mashups (XDomainRequest and XDM). This is not a complete list of our security investments for the release; we will have more to talk about during future milestones.

Internet Explorer 8 security features target three major sources of security exploits: social engineering, Web server, and browser-based vulnerabilities. This post will cover IE8 Data Execution Prevention (DEP), a feature that mitigates browser-based vulnerabilities.

DEP/NX Memory Protection in Internet Explorer 8
Internet Explorer 7 on Windows Vista introduced an off-by-default Internet Control Panel option to “Enable memory protection to help mitigate online attacks.”  This option is also referred to as Data Execution Prevention (DEP) or No-Execute (NX). 

We have enabled this option by default for Internet Explorer 8 on Windows Server 2008, Windows Vista SP1 and later, and Windows XP SP3 and later.

DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable.  DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.

DEP/NX Compatibility
For Internet Explorer 7, DEP/NX was disabled by default for compatibility reasons.  Several popular add-ons were not compatible with DEP/NX and would crash when Internet Explorer loaded them with DEP/NX enabled.  The most common problem was that these add-ons were built using an older version of the ATL library.  Before version 7.1 SP1, ATL relied upon dynamically generated code in a way not compatible with DEP/NX.  While developers of many popular add-ons have since released updated extensions compatible with DEP/NX, some add-ons may not be updated before Internet Explorer 8 becomes available.

Fortunately, new DEP/NX APIs have been added to Windows Server 2008 and recent Windows Service Packs to enable use of DEP/NX while retaining compatibility with older ATL versions.  These new APIs allow Internet Explorer to opt-in to DEP/NX without causing add-ons built with older versions of ATL to crash. 

In rare cases where an add-on is not DEP/NX compatible for reasons other than outdated ATL usage, a group policy option will be available to allow an organization to opt-out of DEP/NX for Internet Explorer until an updated version of the broken add-on can be deployed.  Local Administrators can control DEP/NX by running Internet Explorer as an Administrator and unchecking the Tools > Internet Options > Advanced > “Enable memory protection to help mitigate online attacks” option.

Checking Your Protection
You can see which processes are protected by DEP/NX on Windows Vista Task Manager’s Process tab; on earlier versions of Windows, you can use Process Explorer.  In either case, ensure that the “Data Execution Prevention box” is checked in the View > Select Columns menu.

Developer Call to Action
If you build Internet Explorer add-ons, you can help ensure users enjoy a smooth upgrade to IE8 by taking the following steps today:

  1. If your code depends on older versions of ATL, please rebuild it with ATL v7.1 SP1 or later (Visual Studio 2005 includes ATL 8.0)
  2. Set the /NXCompat linker option to indicate that your extension is compatible with DEP/NX
  3. Test your code with DEP/NX enabled using IE8 Beta 1 on Windows Vista SP1. (Alternatively, test with IE7 on Windows Vista after enabling the DEP/NX option. To enable DEP/NX for IE7: Run IE as an administrator, then set the appropriate checkbox in the Tools > Internet Options > Advanced tab)
  4. Opt your code into other available defenses like stack defense (/GS), safe exception handling (/SafeSEH), and ASLR (/DynamicBase)

Thanks for your help in securing the web!

Eric Lawrence
Program Manager

Updated 9/14/2009 to reflect that DEP/NX protection is enabled on Windows XP SP3. While Windows XP does not offer ASLR protection, DEP/NX alone does make exploitation somewhat more challenging.

Update: Are you encountering DEP/NX crashes in Internet Explorer 8?  See this post for more information.

Comments

  • Anonymous
    April 08, 2008
    Hi, Why the option: Tools > Internet Options > Advanced > “Enable memory protection to help mitigate online attacks” isn't available in 64-bit edition of Internet Explorer 8 beta 1 (obviously in Vista x64)? Although, I can check this option in 32-bit edition of IE8... Does it mean Internet Explorer 64-bit use DEP by default (well, iexplore.exe is "protected" on Task Manager's Process tab)? Regards, MusK

  • Anonymous
    April 08, 2008
    @MusK: Great question!  In Windows, all 64-bit processes have DEP enabled automatically.  There is no mechanism to disable DEP for a 64-bit process.

  • Anonymous
    April 08, 2008
    The comment has been removed

  • Anonymous
    April 08, 2008
    Eric Lawrence just posted some commentary about IE8 and DEP/NX. As you may know, IE7 supports DEP/NX,

  • Anonymous
    April 08, 2008
    Markus: That was discovered quite some time ago :) https://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=331735

  • Anonymous
    April 08, 2008
    Does JRE now work with DEX/NX enabled? That was the primary plug-in that crashed for me so I left DEP off in IE7 on Vista.

  • Anonymous
    April 08, 2008
    @Derek: Yes, in our tests, current versions of the JRE run correctly with DEP enabled when running on IE8 on Vista SP1.  

  • Anonymous
    April 08, 2008
    The DEP option is grayed out for me.  I'm running Vista SP1 x86.

  • Anonymous
    April 08, 2008
    @chrisbro to enable DEP in IE7 you have to run IE7 "as administrator" once (right click on IE7 -> run as administrato, enable memory protection, close IE7)

  • Anonymous
    April 08, 2008
    what if the computer don't have a processor with DEP? mine doesn't have one. is DEP/NX Memory Protection in Internet Explorer 8 still useful for people who do not have processor with DEP

  • Anonymous
    April 08, 2008
    @chrisbro to enable DEP in IE7 you have to run IE7 "as administrator" once (right click on IE7 -> run as administrator, enable memory protection, close IE7)

  • Anonymous
    April 09, 2008
    I find it safer if you provide the users the ability to access to Add-ons and delete that add-ons, which it provide very useful for anti-malware staffs. Also it is a recommended because sometime, the file are unable to delete, and is still in use with IE, user should be able to delete it, and restart the IE to stop the malware from multiplying.

  • Anonymous
    April 09, 2008
    The comment has been removed

  • Anonymous
    April 09, 2008
    @Anonymous: We haven't encountered DEP-compatibility problems with the current versions of any of the plugins that you've mentioned. @KW: Virtually all processors for sale in the past few years support DEP, but you're correct to note that older processors may not.  Without processor support, the DEP option will provide comparatively little protection. Note: In prior years, some major OEMs shipped computers with DEP-capable processors, but (for reasons I don't understand) disabled the DEP feature in the system BIOS.  In such cases, users typically can re-enable hardware support for DEP by using the BIOS setup screen.

  • Anonymous
    April 09, 2008
    The comment has been removed

  • Anonymous
    April 09, 2008
    @mocax = Since IE7 was released, CTRL + T will get you new tab, similar to Mozilla Firefox.

  • Anonymous
    April 09, 2008
    The comment has been removed

  • Anonymous
    April 09, 2008
    IE Team at Microsoft blog about the security improvements on IE8 which is currently in its beta stage

  • Anonymous
    April 11, 2008
    A bit OT but is the Temporary Internet Files cache overflow problem fixed in IE8? Its the problem where the TIF becomes bigger then its specified size. It still happens to me on IE7.

  • Anonymous
    April 13, 2008
    Lucan, Anonymous: in Vista, IE8, Alt+Enter no longer creates a new tab for me, either.  XP is fine, though.  Will debug if nobody else gets it...

  • Anonymous
    April 13, 2008
    I'm intrigued by this indirectly, being a Windows developer developing in ATL, MFC and COM How do I get hold of atl 7.1 SP1? Am I already running it, given that I'm running VS 2003 (with SP1 applied), or is atl 7.1 sp1 a separate download? If so, which version number should I be looking for? C:WINDOWSsystem32atl71.dll is versioned as: 7.10.6030.0 Can anyone help? Mike

  • Anonymous
    April 14, 2008
    @Mark: ALT+Enter being broken only on Vista is a known issue in Beta-1, thanks. @Mike: You'll get the latest version of ATL when you install the VS service pack.  7.10.6030.0 is the latest version.

  • Anonymous
    April 14, 2008
    @iron2000: The TIF settings are not a strict maximum.  Instead, they determine the threshold that kicks off the cache scavenger, used to remove older / less important cache entries.   So, while browsing, IE may temporarily exceed the set value (e.g. while downloading a large file) but eventually the cache scavenger will run and clean files to get the cache down under the size quota.

  • Anonymous
    April 15, 2008
    Sul Blog del gruppo di Internet Explorer parte una mini serie di Eric Lawrence dell' Internet Explorer

  • Anonymous
    May 07, 2008
    Hi, I’m Matt Crowley, Program Manager for Extensibility with Internet Explorer. The team was very excited

  • Anonymous
    June 19, 2008
    We wtorek swoją premierę miał Firefox 3. W jednej wypowiedzi Window Snyder powiedziała: In setting out to elevate Firefox's basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get ou

  • Anonymous
    July 02, 2008
    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  • Anonymous
    July 02, 2008
    Internet Explorer 8 - Security

  • Anonymous
    August 12, 2008
    Si sta avvicinando a grandi passi il rilascio della Beta 2 della versione 8 di Internet Explorer . Come

  • Anonymous
    August 28, 2008
    The next beta for Internet Explorer has been released for broad distribution to the public, according

  • Anonymous
    August 29, 2008
    Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

  • Anonymous
    February 09, 2009
    Hello, I'm Alex Glover and I'm the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen

  • Anonymous
    February 17, 2009
    Изменения в фильтре SmartScreen в IE8 RC1 Привет, меня зовут Алекс Гловер (Alex Glover) и я являюсь главным

  • Anonymous
    March 16, 2009
      안녕하세요. 저는 인터넷 익스플로러 보안 팀의 에릭 로렌스입니다. 저는 이번 주에 시작되는 RSA 보안 컨퍼런스에 맞춰서 인터넷 익스프로러 8 베타 1의 보안 기능들에

  • Anonymous
    March 19, 2009
    Today we’re excited to release the final build of Internet Explorer 8 in 25 languages. IE8 makes what

  • Anonymous
    March 25, 2009
    Over the last year, we’ve published two posts about how the IE8 SmartScreen ® filter helps to prevent

  • Anonymous
    March 30, 2009
    Безопасность IE8: защита от вредоносного ПО с помощью фильтра SmartScreen В прошлом году мы опубликовали

  • Anonymous
    April 21, 2009
    I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative

  • Anonymous
    May 29, 2009
    From time to time, folks ask a variety of questions about 64bit IE. I hope to answer the most common

  • Anonymous
    June 01, 2009
    こんにちは、五寳です。 IE7 から実装されているメモリ保護 ( DEP/NX Memory Protection ) の機能ですが、IE8 からは (条件がそろえば) デフォルトで有効になっています。