IE8 Security Part I: DEP/NX Memory Protection


Hi, I’m Eric Lawrence from the Internet Explorer Security Team. With the RSA security conference kicking off this week, I wanted to start sharing more information about the security features and benefits of Internet Explorer 8 Beta 1. Over the next several weeks, we’ll blog in greater detail about some of the security improvements in Beta 1, such as the new Safety Filter, greater control over ActiveX controls, and new AJAX features for safer mashups (XDomainRequest and XDM). This is not a complete list of our security investments for the release; we will have more to talk about during future milestones.

Internet Explorer 8 security features target three major sources of security exploits: social engineering, Web server, and browser-based vulnerabilities. This post will cover IE8 Data Execution Prevention (DEP), a feature that mitigates browser-based vulnerabilities.

DEP/NX Memory Protection in Internet Explorer 8
Internet Explorer 7 on Windows Vista introduced an off-by-default Internet Control Panel option to “Enable memory protection to help mitigate online attacks.”  This option is also referred to as Data Execution Prevention (DEP) or No-Execute (NX). 

We have enabled this option by default for Internet Explorer 8 on Windows Server 2008, Windows Vista SP1 and later, and Windows XP SP3 and later.

DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable.  DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.

DEP/NX Compatibility
For Internet Explorer 7, DEP/NX was disabled by default for compatibility reasons.  Several popular add-ons were not compatible with DEP/NX and would crash when Internet Explorer loaded them with DEP/NX enabled.  The most common problem was that these add-ons were built using an older version of the ATL library.  Before version 7.1 SP1, ATL relied upon dynamically generated code in a way not compatible with DEP/NX.  While developers of many popular add-ons have since released updated extensions compatible with DEP/NX, some add-ons may not be updated before Internet Explorer 8 becomes available.

Fortunately, new DEP/NX APIs have been added to Windows Server 2008 and recent Windows Service Packs to enable use of DEP/NX while retaining compatibility with older ATL versions.  These new APIs allow Internet Explorer to opt-in to DEP/NX without causing add-ons built with older versions of ATL to crash. 

In rare cases where an add-on is not DEP/NX compatible for reasons other than outdated ATL usage, a group policy option will be available to allow an organization to opt-out of DEP/NX for Internet Explorer until an updated version of the broken add-on can be deployed.  Local Administrators can control DEP/NX by running Internet Explorer as an Administrator and unchecking the Tools > Internet Options > Advanced > “Enable memory protection to help mitigate online attacks” option.

Checking Your Protection
You can see which processes are protected by DEP/NX on Windows Vista Task Manager’s Process tab; on earlier versions of Windows, you can use Process Explorer.  In either case, ensure that the “Data Execution Prevention box” is checked in the View > Select Columns menu.

Developer Call to Action
If you build Internet Explorer add-ons, you can help ensure users enjoy a smooth upgrade to IE8 by taking the following steps today:

  1. If your code depends on older versions of ATL, please rebuild it with ATL v7.1 SP1 or later (Visual Studio 2005 includes ATL 8.0)
  2. Set the /NXCompat linker option to indicate that your extension is compatible with DEP/NX
  3. Test your code with DEP/NX enabled using IE8 Beta 1 on Windows Vista SP1. (Alternatively, test with IE7 on Windows Vista after enabling the DEP/NX option. To enable DEP/NX for IE7: Run IE as an administrator, then set the appropriate checkbox in the Tools > Internet Options > Advanced tab)
  4. Opt your code into other available defenses like stack defense (/GS), safe exception handling (/SafeSEH), and ASLR (/DynamicBase)

Thanks for your help in securing the web!

Eric Lawrence
Program Manager

Updated 9/14/2009 to reflect that DEP/NX protection is enabled on Windows XP SP3. While Windows XP does not offer ASLR protection, DEP/NX alone does make exploitation somewhat more challenging.

Update: Are you encountering DEP/NX crashes in Internet Explorer 8?  See this post for more information.

Comments (40)

  1. MusK says:

    Hi,

    Why the option: Tools > Internet Options > Advanced > “Enable memory protection to help mitigate online attacks” isn’t available in 64-bit edition of Internet Explorer 8 beta 1 (obviously in Vista x64)?

    Although, I can check this option in 32-bit edition of IE8… Does it mean Internet Explorer 64-bit use DEP by default (well, iexplore.exe is "protected" on Task Manager’s Process tab)?

    Regards,

    MusK

  2. EricLaw [MSFT] says:

    @MusK: Great question!  In Windows, all 64-bit processes have DEP enabled automatically.  There is no mechanism to disable DEP for a 64-bit process.

  3. Markus says:

    eric: Great post Eric, no beefs at all.

    IE Team: What is the strategy for opacity support in IE8?

    At the moment, it looks like CSS3 opacity:

     opacity: 0.5;

    is off the table (ok, fine), but there is no

    -msie-opacity support either (e.g. before the spec is final)

     -mise-opacity: 0.5;

    and worse yet, it appears to me (from my testing), that the IE proprietary filter based opacity doesn’t work either.

     filter: alpha(opacity=50);

    Which in itself sucks, but worse yet, it applies an opacity=0%!!!!!! if you try to set it (e.g. 100% transparent!)

    I certainly hope this is fixed in IE8 soon, but if it won’t support the legacy stuff, can we please have the filter:alpha fallback to 100% opacity, so that our interfaces at least appear on screen.

    By the way, I don’t see much ranting about this on the blog?  Am I truly the only one to have seen this? or was this found very early on?

  4. Eric Lawrence just posted some commentary about IE8 and DEP/NX. As you may know, IE7 supports DEP/NX,

  5. Chris Mahoney says:

    Markus: That was discovered quite some time ago 🙂

    https://connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=331735

  6. Derek says:

    Does JRE now work with DEX/NX enabled? That was the primary plug-in that crashed for me so I left DEP off in IE7 on Vista.

  7. EricLaw [MSFT] says:

    @Derek: Yes, in our tests, current versions of the JRE run correctly with DEP enabled when running on IE8 on Vista SP1.  

  8. chrisbro says:

    The DEP option is grayed out for me.  I’m running Vista SP1 x86.

  9. BillD says:

    @chrisbro

    to enable DEP in IE7 you have to run IE7 "as administrator" once (right click on IE7 -> run as administrato, enable memory protection, close IE7)

  10. KW says:

    what if the computer don’t have a processor with DEP? mine doesn’t have one. is DEP/NX Memory Protection in Internet Explorer 8 still useful for people who do not have processor with DEP

  11. BillD says:

    @chrisbro

    to enable DEP in IE7 you have to run IE7 "as administrator" once (right click on IE7 -> run as administrator, enable memory protection, close IE7)

  12. Lucan says:

    I find it safer if you provide the users the ability to access to Add-ons and delete that add-ons, which it provide very useful for anti-malware staffs.

    Also it is a recommended because sometime, the file are unable to delete, and is still in use with IE, user should be able to delete it, and restart the IE to stop the malware from multiplying.

  13. anonymous says:

    So, of the major addons, Google, Yahoo! and Windows Live Toolbars, Silverlight, Flash and Java have to be DEP-compatible. Which ones already are?

  14. EricLaw [MSFT] says:

    @Anonymous: We haven’t encountered DEP-compatibility problems with the current versions of any of the plugins that you’ve mentioned.

    @KW: Virtually all processors for sale in the past few years support DEP, but you’re correct to note that older processors may not.  Without processor support, the DEP option will provide comparatively little protection.

    Note: In prior years, some major OEMs shipped computers with DEP-capable processors, but (for reasons I don’t understand) disabled the DEP feature in the system BIOS.  In such cases, users typically can re-enable hardware support for DEP by using the BIOS setup screen.

  15. mocax says:

    In Vista, ALT+Enter in search box doesn’t open up in a new tab, is it security related?

    In XP it works fine.

  16. Lucan says:

    @mocax = Since IE7 was released, CTRL + T will get you new tab, similar to Mozilla Firefox.

  17. Anonymous says:

    ALT+Enter in the search box is opening a new tab for me on Vista.

  18. IE Team at Microsoft blog about the security improvements on IE8 which is currently in its beta stage

  19. iron2000 says:

    A bit OT but is the Temporary Internet Files cache overflow problem fixed in IE8?

    Its the problem where the TIF becomes bigger then its specified size. It still happens to me on IE7.

  20. Mark Steward says:

    Lucan, Anonymous: in Vista, IE8, Alt+Enter no longer creates a new tab for me, either.  XP is fine, though.  Will debug if nobody else gets it…

  21. Mike Diack says:

    I’m intrigued by this indirectly, being a Windows developer developing in ATL, MFC and COM

    How do I get hold of atl 7.1 SP1?

    Am I already running it, given that I’m running VS 2003 (with SP1 applied), or is atl 7.1 sp1 a separate download?

    If so, which version number should I be looking for?

    C:WINDOWSsystem32atl71.dll

    is versioned as:

    7.10.6030.0

    Can anyone help?

    Mike

  22. EricLaw [MSFT] says:

    @Mark: ALT+Enter being broken only on Vista is a known issue in Beta-1, thanks.

    @Mike: You’ll get the latest version of ATL when you install the VS service pack.  7.10.6030.0 is the latest version.

  23. EricLaw [MSFT] says:

    @iron2000: The TIF settings are not a strict maximum.  Instead, they determine the threshold that kicks off the cache scavenger, used to remove older / less important cache entries.  

    So, while browsing, IE may temporarily exceed the set value (e.g. while downloading a large file) but eventually the cache scavenger will run and clean files to get the cache down under the size quota.

  24. Sul Blog del gruppo di Internet Explorer parte una mini serie di Eric Lawrence dell’ Internet Explorer

  25. IEBlog says:

    Hi, I’m Matt Crowley, Program Manager for Extensibility with Internet Explorer. The team was very excited

  26. We wtorek swoją premierę miał Firefox 3. W jednej wypowiedzi Window Snyder powiedziała: In setting out to elevate Firefox’s basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get ou

  27. IEBlog says:

    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  28. Internet Explorer 8 – Security

  29. Igor Macori says:

    Si sta avvicinando a grandi passi il rilascio della Beta 2 della versione 8 di Internet Explorer . Come

  30. The next beta for Internet Explorer has been released for broad distribution to the public, according

  31. IEBlog says:

    Back in June, Dean Hachamovitch kicked off a series of blog posts explaining how the IE team approached

  32. IEBlog says:

    Hello, I’m Alex Glover and I’m the test owner of the SmartScreen Filter in Internet Explorer 8. The SmartScreen

  33. Изменения в фильтре SmartScreen в IE8 RC1 Привет, меня зовут Алекс Гловер (Alex Glover) и я являюсь главным

  34.   안녕하세요. 저는 인터넷 익스플로러 보안 팀의 에릭 로렌스입니다. 저는 이번 주에 시작되는 RSA 보안 컨퍼런스에 맞춰서 인터넷 익스프로러 8 베타 1의 보안 기능들에

  35. IEBlog says:

    Today we’re excited to release the final build of Internet Explorer 8 in 25 languages. IE8 makes what

  36. IEBlog says:

    Over the last year, we’ve published two posts about how the IE8 SmartScreen ® filter helps to prevent

  37. Безопасность IE8: защита от вредоносного ПО с помощью фильтра SmartScreen В прошлом году мы опубликовали

  38. I attended Scott Charney’s keynote this morning at RSA – Moving Towards End to End Trust: A Collaborative

  39. IEInternals says:

    From time to time, folks ask a variety of questions about 64bit IE. I hope to answer the most common

  40. こんにちは、五寳です。 IE7 から実装されているメモリ保護 ( DEP/NX Memory Protection ) の機能ですが、IE8 からは (条件がそろえば) デフォルトで有効になっています。