IE8 Security Part I: DEP/NX Memory Protection

Hi, I’m Eric Lawrence from the Internet Explorer Security Team. With the RSA security conference kicking off this week, I wanted to start sharing more information about the security features and benefits of Internet Explorer 8 Beta 1. Over the next several weeks, we’ll blog in greater detail about some of the security improvements in Beta 1, such as the new Safety Filter, greater control over ActiveX controls, and new AJAX features for safer mashups (XDomainRequest and XDM). This is not a complete list of our security investments for the release; we will have more to talk about during future milestones.

Internet Explorer 8 security features target three major sources of security exploits: social engineering, Web server, and browser-based vulnerabilities. This post will cover IE8 Data Execution Prevention (DEP), a feature that mitigates browser-based vulnerabilities.

DEP/NX Memory Protection in Internet Explorer 8
Internet Explorer 7 on Windows Vista introduced an off-by-default Internet Control Panel option to “Enable memory protection to help mitigate online attacks.”  This option is also referred to as Data Execution Prevention (DEP) or No-Execute (NX). 

We have enabled this option by default for Internet Explorer 8 on Windows Server 2008, Windows Vista SP1 and later, and Windows XP SP3 and later.

DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable.  DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.

DEP/NX Compatibility
For Internet Explorer 7, DEP/NX was disabled by default for compatibility reasons.  Several popular add-ons were not compatible with DEP/NX and would crash when Internet Explorer loaded them with DEP/NX enabled.  The most common problem was that these add-ons were built using an older version of the ATL library.  Before version 7.1 SP1, ATL relied upon dynamically generated code in a way not compatible with DEP/NX.  While developers of many popular add-ons have since released updated extensions compatible with DEP/NX, some add-ons may not be updated before Internet Explorer 8 becomes available.

Fortunately, new DEP/NX APIs have been added to Windows Server 2008 and recent Windows Service Packs to enable use of DEP/NX while retaining compatibility with older ATL versions.  These new APIs allow Internet Explorer to opt-in to DEP/NX without causing add-ons built with older versions of ATL to crash. 

In rare cases where an add-on is not DEP/NX compatible for reasons other than outdated ATL usage, a group policy option will be available to allow an organization to opt-out of DEP/NX for Internet Explorer until an updated version of the broken add-on can be deployed.  Local Administrators can control DEP/NX by running Internet Explorer as an Administrator and unchecking the Tools > Internet Options > Advanced > “Enable memory protection to help mitigate online attacks” option.

Checking Your Protection
You can see which processes are protected by DEP/NX on Windows Vista Task Manager’s Process tab; on earlier versions of Windows, you can use Process Explorer.  In either case, ensure that the “Data Execution Prevention box” is checked in the View > Select Columns menu.

Developer Call to Action
If you build Internet Explorer add-ons, you can help ensure users enjoy a smooth upgrade to IE8 by taking the following steps today:

  1. If your code depends on older versions of ATL, please rebuild it with ATL v7.1 SP1 or later (Visual Studio 2005 includes ATL 8.0)
  2. Set the /NXCompat linker option to indicate that your extension is compatible with DEP/NX
  3. Test your code with DEP/NX enabled using IE8 Beta 1 on Windows Vista SP1. (Alternatively, test with IE7 on Windows Vista after enabling the DEP/NX option. To enable DEP/NX for IE7: Run IE as an administrator, then set the appropriate checkbox in the Tools > Internet Options > Advanced tab)
  4. Opt your code into other available defenses like stack defense (/GS), safe exception handling (/SafeSEH), and ASLR (/DynamicBase)

Thanks for your help in securing the web!

Eric Lawrence
Program Manager

Updated 9/14/2009 to reflect that DEP/NX protection is enabled on Windows XP SP3. While Windows XP does not offer ASLR protection, DEP/NX alone does make exploitation somewhat more challenging.

Update: Are you encountering DEP/NX crashes in Internet Explorer 8?  See this post for more information.