Internet Explorer 9 Security Part 1: Enhanced Memory Protections


Internet Explorer offers layered defenses to protect against and mitigate each of three major classes of threats that browser users face when surfing the sometimes-hostile Web:

  1. Technological attacks designed to exploit the browser or operating system
  2. Web attacks designed to exploit vulnerabilities in Web sites
  3. Social engineering attacks against the user’s trust

Today’s post covers how browsers’ memory protections mitigate threats in the first class.

Preventing Reliable Exploitation

The goal of these memory protection features is helping prevent reliable exploitation of a memory-related vulnerability. Each technology in the “alphabet soup” of acronyms below is a way to securely terminate the browser tab before malicious code can run. Internet Explorer 9 utilizes the latest memory protection technologies to help prevent an attacker’s code from running if a memory-related vulnerability is discovered in the browser or one of its add-ons:

DEP/NX (Data Execution Prevention / No eXecute) is enabled by default in Internet Explorer 8 and 9 and it is the foundation of memory protection in the browser. DEP/NX works with your system’s processor to distinguish between code and data, helping to prevent execution of data placed into memory by an attacker. If the processor determines that it has been directed to execute a block of memory lacking the proper marking, it will securely terminate the process before executing the specified instructions.

ASLR (Address Space Layout Randomization) is a defense that helps ensure that the memory space of a process is laid out in an unpredictable manner. ASLR helps ensure that an attacker cannot easily bypass DEP/NX protections using a trick called “Return Oriented Programming” in which the attacker simply sets up the attack and jumps to existing code locations, abusing functions which are a part of the browser and operating system. For instance, a common trick is to attempt to jump to the VirtualProtect function which allows memory to be marked as “code” rather than data—if successful, this effectively bypasses DEP/NX. By ensuring that VirtualProtect and other functions are at unpredictable locations, exploit code will generally crash with an Access Violation instead of running successfully.

In IE9, we’ve improved our memory layout randomization to help eliminate predictable memory mappings. However, ASLR is enabled on a per-DLL basis, and some older browser add-ons are not properly opted in to the mitigation. You can use the Process Explorer tool from SysInternals to examine the loaded DLLs in a process to determine whether DEP/NX protection is successfully applied to each. For instance, in the following screenshot, you’ll see that all of the DLLs loaded by the Internet Explorer tab process have ASLR enabled except one ActiveX control which is missing the protection. If that DLL exposes any code segments useful to an attacker, the lack of ASLR randomization could provide a toehold into bypassing memory protections.

Screen shot showing ASLR enabled for Internet Explorer DLLs

Note: Enthusiasts can force ASLR to be applied to all DLLs in the process using EMET (Enhanced Mitigation Experience Toolkit), a security tool provided by the Microsoft Security Research and Defense team to prototype cutting-edge security mitigations. Forcing ASLR onto DLLs which are not expecting it may introduce compatibility problems, however, so keep that in mind if you try out this tool.

SafeSEH (Safe Structured Exception Handling) is a compiler option which helps prevent the injection of malicious structured exception handlers into an exception handling chain. All 64bit code and all of Internet Explorer’s code is compiled with the SafeSEH flag. However, like ASLR, this mitigation is enabled on a per-DLL basis, and hence it requires that add-ons be compiled with the flag in order to ensure comprehensive protection.

This limitation of SafeSEH is mitigated in Internet Explorer 9 when running on Windows 7. IE9 opts-in to SEHOP (Structured Exception Handler Overwrite Protection) a new feature which is enabled on a per-process basis and hence does not require opt-in by individual DLLs. SEHOP works by validating the integrity of the exception handling chain before dispatching exceptions. This helps ensure that structured exception handling cannot be used as an exploit vector, even when running outdated browser add-ons that have not been recompiled to take advantage of SafeSEH.

Lastly, Internet Explorer 9 is compiled with the new C++ compiler provided with Visual Studio 2010. This compiler includes a feature known as Enhanced GS aka Stack Buffer Overrun Detection, which helps prevent stack buffer overruns by detecting stack corruption and avoiding execution if such corruption is encountered. In the latest compiler, the existing GS feature was enhanced to block a broader range of attacks, and it utilizes better heuristics to determine which functions need protection. This enhancement helps minimize the performance impact and maximize protection for Internet Explorer.

Learn More

Software developers can learn more about Internet Explorer’s defenses, including how to use these techniques to improve the security of their own products, by reading the Windows ISV Software Security Defenses whitepaper on MSDN.

Thanks for your help securing the Web.

—Eric Lawrence, Senior Program Manager, Internet Explorer

Comments (51)

  1. jun says:

    does it prevent activex controls from runninginstalling themselves without explicit user permission for that particular control?

  2. Ryan Sharp says:

    All junk I'm afraid. Google is where the real innovation is at. I suggest everyone go download a copy of Chromium or Android and learn how software is supposed to be done. Microsoft talking about innovation and/or security is about as hilarious as it gets.

  3. jun says:

    Google talking about security is even more hilarious, Ryan, because they mean security from everyone but themselves.  Go ahead and trust the same guys who stold all those email addresses and passwords with their streetview car with all your secure web transactions.  Great idea.

  4. jun says:

    And apparently you missed the news about how the Android app store is riddled with malware.  Where've you been the last week, Ryan?  Google HQ?

  5. jabcreations says:

    I'm *truly* not trying to be negative though I remember seeing this posted two days ago…

    http://www.hardocp.com/…/microsoft_won96t_patch_internet_explorer_before_contest

    My priority list…

    1.) Fix security bugs/vulnerabilities before all-else.

    2.) Fix regular bugs in features if live.

    3.) Fix regular bugs in features not yet live.

    4.) Add new features.

    Unless I'm missing something this is been my priority hierarchy and it's served me well. I ask, why not prove your dedication to security by ensuring IE can withstand something like the Pwn2Own event?

  6. Jill says:

    If you can apply this much security to the browser – can you give the rest of the dev team a kick to fix things like .innerHTML?

  7. Warren says:

    "All junk I'm afraid. Google is where the real innovation is at."

    Indeed, they are truly innovative in their non-use of ASLR, a five year old security technology, in their browser plugin for IE!

  8. Stilgar says:

    I know this is about stability rather than security but how come that in IE8 AND IE9 a tab can freeze the whole browser when there are multiple processes? I've never seen a tab in Chrome freeze the UI.

    I really don't want to use Chrome and Google products make mi sick with their "everything is web" bullshit but I find this particular issue in IE quite annoying.

    Oh and fix the font rendering, will you?

  9. Beepop says:

    Wasn't there an ASLR bypassing techniques using the Javascript PRNG?

  10. zzz says:

    Haven't had security issues – I don't install stuff by Google, Adobe, Apple, Oracle (except in a VM). If Microsoft couldn't write secure code by default without making it first priority, what's the chances that those other guys write secure code when security isn't their priority (it's innovation like you say)? As you can see that Google plugin doesn't even have ASLR enabled and that's old feature. Now if someone wants to innovate, make it so that I can install the buggy stuff by those 4 companies and have no impact on attack surface for the host os or my files & other applications. To start with, why should installing app require admin priv? Non-system apps like a browser should not modify system settings. I can install & run DosBox without admin and install games that used to require the whole cpu for themselves. Once apps don't get admin rights at any point, you can next ensure that any exploit in any app will stay within that app. If I can install apps that install system drivers inside a guest OS in Vmware without compromising host, this should be possible without the vmware by total application virtualization built into Windows which depends on what the app wants to install, if it wants to install a driver then virtualize the parts of machine that the driver needs to talk to.

  11. jun says:

    zzz's comment got me thinking.  the biggest security hole is that Windows allows apps to set themselves up to start on boot in the registry without bringing up anything to alert the user or ask for permission.  Most viruses would be eliminated if Windows simply brought a popup up saying something like "ctfmon.exe is requesting to be allowed to run on startup. If you initated this request through a legitimate UI, please click ALLOW. Otherwise this request will be automatically denied."  That right there would put an end to a lot of security problems.

  12. Prior Semblance says:

    @jun

    That would be very nice, I'm always having to disable programs that think I want to run some nonsense process in the background all day long and they usually re-enable the process each time they get updated *glares at google update*

  13. sam says:

    Ryan,

    here is another fresh off the press Google security issue: "Researcher finds serious Android Web Market bug"

    news.cnet.com/8301-27080_3-20040246-245.html

  14. John says:

    Hey, I just opened Process Explorer (v14.01) to try this out and under the ASLR column it either is blank or says "n/a," nowhere does it say "ASLR" as in this post's screenshot. Am I using a different version than Eric Lawrence is? Also, in my version I'm assuming that a blank entry means ASLR is enabled, and "n/a" means it isn't? I'm confused.

  15. CvP says:

    today, after launching my IE9rc, i noticed all cookies cleared…

    - i did not clear the cookies

    - i had properly shut down my pc

    it is really annoying to login to 20+ sites again…

  16. DanglingPointer says:

    @jun, the kernel mode of a modern OS, which is an opinionated software, has number of services running without the user interaction. You think that you own the OS, but it is actually the making its own decisions while setting priorities. But I am sure you are not suggesting MS to make their windowsOS realtime! The threats associated to Nxbit are mandatory to address these days..not only By MS In MS Windows and/or MS IE but for every operating system and application developer. So your claims about `cftmon to become a user-mode service` and `Google apps are secured because they r build that (unsecured) way` are falsified.

    MS IE is actually known to be most secured web browsers. The level of security they provide in browser is yet to be seen in any other web browser. So, when it comes to industrial scale, all that matters in IT is security. The more secure is your system, the more people would love it. Other argument about UI freezing is true about IE. ….and hey, don’t read too much!

  17. Andrew says:

    I've questioned ASLR for some time. Does it give a false sense of security? Linux has ASLR to a point but not with each binary or .so file, nor is it opt-in (kernel option; only hardened Linux versions have this on by default). Haven't needed it, perhaps? And remember, Android is Linux and so is ChromeOS. I'm not sure about OS X.

    And last time I checked a debugger (OllyDbg), the memory layout was still the same in 7 (ALSR was left enabled) and XP.

    Also, crashes are quite annoying Microsoft and are definitely not preventable however, running each tab in its own process like Chrome does allows Flash to die in one, but continue working in another. This makes for a far more pleasant experience.

  18. Ken says:

    I really want to believe that IE 9 will be secure, but I don't trust Microsoft's expertise in the security field.

    Six years ago, we saw the "Trustworthy Computing" promises. Seriously? There have been far too many flaws exploited since that PR stunt.

  19. a web developer says:

    Who cares about security if IE9 render incorrectly css3 border radius in field set, don’t have css3 multi-columns and don’t have many other css3 properties ?

    I am developing a social network site that will render ugly on ie9 because of lack of support these features.

    My users, well, they will use other browser if they want to see a better page…

    And some parts of my site (games) will not be available to ie9 users because lack of support to webgl, and if the users want to play they need to use other browser that ie9.

    All browsers have security flaws and all browsers manufactures fix and improve security as possible.

    But the medium user doesn’t think about this. They think that they can see all sites rendered ok and fast.

  20. Belleve Invis says:

    Disable COM first, Discard C++ then.

  21. a web developer says:

    Also, Who cares for security if all times that I browse a site with ie9 and upload a file in a page with [input type=file multiple] in ie9 i can only upload one file. The users will use other brwoser than ie9 when they are bored to upload 50 photo to ther album because with ie9 they need to select 50 times the files and with other browser they will select all files one time only.

  22. Crescens2k says:

    @jun:

    The only way this would be a security hole is if a non priviliged user could get a program to run for all users. Since you need administrator access to write to the correct part of the registry then it means that you would have to be running Windows in an unsecure way if it could infect your system to that extent, and if it can write to that key then you should just classify the install of Windows as compromised and never use it again anyway. The only thing I am unsure of is whether the per user run keys are executed with the administrator token or the unpriviliged token in a UAC scenario, but I would imagine that it would be the unpriviliged.

    @Andrew:

    ASLR isn't a false sense of security. What it does is stop fixed address attacks from working so it is useful as a simple measure agains simple attacks.

    @Ken:

    Since Windows is the most installed OS on end user systems, is it surprising that all attackers and their dogs have tried to attack Windows? The thing with security flaws is that they are unknown until they are exploited. But the thing to remember is that with all the attention being turned towards the focus of the attacks, often people don't look at what the competition is doing. There is also a constant stream of updates in open source projects to correct flaws and bugs too.

    @a web developer

    So you would prefer IE9 to be full of security holes to render your site properly rather than the browser being safe? Honestly, people have stupid priorities. The thing is, CSS3 is still mostly in the works, so that would mean you would like them to implement things which are likely to change. Then if it does change and the IE9 implementation is no longer conformat, would you be one of the people complaining that IE is doing it wrong? Remember, implementing draft standards is a double edged sword, especially with products which have longer shelf lives.

  23. Fleet Command says:

    I see. So, in a nutshell, Microsoft is carrying out SDL procedures in Internet Explorer 9. Well, I took that for granted…

  24. a web developer says:

    Crescens2k

    I dont say that security is not important, but i say that without support of drafts that are supported in all other browsers, the security is secondary.

    For example, microsoft could develop a browser that display sites in txt format like notepad (remember mosaic) that is 100% secure ! It is absurd !

    And i dont believe that draft changes if all browsers implement the draft. And if microsoft implement a draft it will be a defacto standart.

    Also If there are 3 or more  inter-operable implementations of a draft than more chance the draft will be a recomendation

    Also IE9 implement other standarts that are in draft, like border-radius and css-3 selectors. if they implement some drafts, what is the excuse to not implement the others that are suported by all browsers ?

    I also repeat. If IE dont support these features, the users will change their browser to navigate on sites that use these drafts.

    For exmple, one site is my, because i will not use any hack, flash or silverlight in it. If some feature not work on ie9 but work on all other browsers, sorry for microsoft. I will advise the user that if they want these feature, they can donload other browser and enjoy these feature (like multiple file upload in photo albuns).

  25. CvP says:

    @a web developer: you know nothing about web development. so please go back to your crippled social networking site.

  26. a web developer says:

    Riasat.

    Your mother dont teach you to be a gentleman ?

    Please dont blame and dont be rude. Who are you to say that i dont know about web development ?

    The rudeness is the weapon of those who do not know to talk.

    If you dont agree with my arguments use yours arguments (tecnicaly) if you can.

  27. Stilgar says:

    @a web developer the IE team have repeatedly stated that they implement drafts that they feel are stable enough. This is their excuse like it or not.

    Also I am amazed by your confidence that users will just switch to other browsers instead of going to other sites (probably ones that use Flash or Silverlight) It seems like your site is pretty amazing. Are you working on the next version of FarmVille or what?

    BTW the idea of WebGL makes me wanna throw up. Google managed to port Quake 2 to WebGL and it is just a little bit laggy? It is a great advancement to the year 1998 when I used to play Quake 2 and it wasn't even laggy.

  28. Stilgar says:

    Stilgar

    > @a web developer the IE team have repeatedly stated that they implement drafts that they feel are stable enough. This is their excuse like it or not.

    I agree, but i blog to ie team to tell them that other standarts are stable too, like multiple file upload (suported in all brwosers), and css-3 multi-collumns (the last brwoser, opera implemented it in thei beta barracuda, all other already implement it). I also tell about bad implemantation of css-3 border-radius that is not rendering on fieldset (a bug of ie9).

    > Also I am amazed by your confidence that users will just switch to other browsers instead of going to other sites (probably ones that use Flash or Silverlight) It seems like your site is pretty amazing. Are you working on the next version of FarmVille or what?

    FamVille :-))) Too mutch for me….Currently only an aplha of a message bord and photo-album. Also my site dont stop of working on ie9, then users dont go to other sites, but some of them after testing some feature on other browser will make a switch. because they see the site works better on other browser.

    BTW the idea of WebGL makes me wanna throw up. Google managed to port Quake 2 to WebGL and it is just a little bit laggy? It is a great advancement to the year 1998 when I used to play Quake 2 and it wasn't even laggy.

    I dont think that webgl will compete with full directx native games, like flash and silverlight dont compete today. But webgl open a lot of development oportunities to webdevelopers in small games and other areas like simulation. A lot of people think this, like the creator of facebook….

  29. Stilgar says:

    Well obviously the IE team does not agree with you either on the stability of the standards or the importance of the standards you are referring to so they decided for now not to invest resources in css3 multi -columns or whatever. Obviously you have the right to state your opinion but you cannot claim that your priorities are important. I'd rather have browser that is secure than a browser that supports multi-something. Your site may be cool (I doubt it games in web suck) but do you really want to stand against MS? I wonder who will lose more users your site or IE and who will suffer the most from the losses :)

    As a web developer I would rather see the new input fields (date, e-mail, validator, etc) which fail gracefully (to a textbox) in older browsers than the completely useless video and canvas (which I believe are much harder to implement). I can't think of a single reason where I would like to use video or canvas tags (well maybe for some simple chart) in my work but I would like to use the new input types multiple times every day.

    As a gamer I would like to see Web GL die horrible death right now. I would prefer game developers working on native apps for the targeted platforms and develop quality games with less effort. I really don't want to play a game of the technology level of Quake 2 in 2011. Please just let me download the executable.

  30. Stilgar says:

    Hmm it seems like I cannot post on this blog using IE9 if I have active X filtering enabled. It is not even tracking protection it is ActiveX filtering

  31. hAl says:

    "some older browser add-ons are not properly opted in to the mitigation"

    What is the IE team doing about this.

    * Are they approaching addons developers (at least of popular add ons).

    * Can they give us a list of the 100 most popular addons that do not have ASLR enabled so that we can ask those people for new add-ons

    * In several IE8 hacks it was actuelle MS software that failed to have ASLR enabled. Especially several software libraries used by 3rd party applications. Has Microsoft already removed all non-ASLR enabled software form it's download centers and how is it ensuring that those old libraries are not used anymore in common products that can integrate with IE9.

  32. a web developper says:

    Stilgar

    I agree with you about html5 form input atributes, including in my previous post I claim about input file multiple.

    Also You can test all browsers in miketaylr.com/…/input-type-attr.html and see that only ie9 dont have any support to it. all other browser have some support.

    The criteria I claim to IE team adopt is: If all major browsers (Firefiox, Crhome, Safari and Opera) support one draft, it is a de facto standart and IE need to support it too.

  33. CvP says:

    @a web developer

    What I said is the truth. I don't care if it appears "rude" to you or not.

    Your idea of "de facto standard" is horriblly wrong. Specs WILL change based on needs. Just because IE/FF/Chrome implements a "draft" doesn't make the draft a standard.

    Let us assume MS implemented some of the things you mentioned today in IE9. For what so ever reason, one "draft" gets changed. Then you will start to b*tch why MS isn't "fixing" it? Then let us assume MS "fixes" it on IE10. Then you will start to b*tch MS has crippled the web with broken implementation on IE9 as now you have to support IE9 and IE10..

    and FYI, I am also "excited" about the "features" you mentioned.

    @IE Team

    WIll we have some form of "add-on security audit" that checks for these issues and lets the user know if it is using these technologies or not?

  34. laotse says:

    i am very not like ie9's gui,simple != easy to use,in fact it is more hard to use,ie8's gui is good,ie9's engine and speed is good,ie8's gui+ie9's engine is very good.

  35. a web developer. says:

    Ian Hickson, editor of the HTML5 specification says "The criterion for the specification becoming a W3C Recommendation is “two 100% complete and fully interoperable implementations”.

    And microsoft and other browsers are member of w3c boards. If they implement a draft they can make working group dont change what is implemented and working ok. They only change what is not working good or have some dificult to implement.

    No excuses for not implementing a draft that are a years stable and implemente by all other browsers for a years. If none implement the draft, it will never be a standart.

    If your argument are true, ie9 cant implement html5, css3 border radius, ccs3 selectors, all are drafts, let ie9 only render html 4…

    your excuse for the lack of education is to say that you speak the truth, but in reality you are rude.

    the worst blindman is those who not wnat to see.

  36. DanglingPointer says:

    @a web developer, those frowny faces do not appear in IE9 providing you turn on tracking protection. It looks very neat that way.

    win-win for MS !!

  37. Irony says:

    @Riasat

    That is exactly right.

    I don't know if developers these days are too young to realize this is partially what happened to IE6 or if their memories are that short.

    They complain about IE6 while at the same time complaining that new "drafts' are not being supported … basically trying to cause what they are complaining about in IE6.

    Part of the IE6 woes were that it wasn't updated in 5-6 years, so it didn't support new features and specs. Tthe more frustration thing now is that some of the things implemented early ended up actually being different in other browser that were developed after the specs were farther along.

    Way to push for the later to happen again developers …

    Implement specs only after you are very certain they won't change.  Otherwise you are sealing your fate with gobs of hacks and fixes down the line.

    Saying IE6 hacks are frustrating and then complaining the IE9 doesn't support draft specs is ironic in my book.

  38. Bengie says:

    @Jun "zzz's comment got me thinking.  the biggest security hole is that Windows allows apps to set themselves up to start on boot in the registry without bringing up anything to alert the user or ask for permission.  Most viruses would be eliminated if Windows simply brought a popup up saying something like "ctfmon.exe is requesting to be allowed to run on startup. If you initated this request through a legitimate UI, please click ALLOW. Otherwise this request will be automatically denied."  That right there would put an end to a lot of security problems."

    You mean UAC?

  39. a web developer says:

    DanglingPointer.

    I always use ms products. I like microsoft and your products. I thinh that they are bether then those of other companies, and like an microsoft fan and consumer I want that ie stays the bether browser on the market.

    The problem is the world is changing and microsoft need to see that. Today there are devices with opera mini in asia, tablets with ipads in USA or kindle from amazon (webkit browser) and any people can easily download a browser that theiy want and install it in windows.

    For these reasons I say that microsoft needs to implement the standrts that are implemented in other browsers, because today a lot of web developers are useing these features in your sites and if a user enter in one site for example that they cant see some with ie but can see in other browser, they can abandon ie..

    drafts that i ie9 need to support (maybe ie 9.1 ?).

    HTML5 Forms (like multiple file upload)

    CSS3 Text Shadow

    CSS3 Gradients

    CSS3 Border Image

    CSS3 Flex box model

    CSS3 multi-column

    CSS3 3D Transitions

    WebGL (that already is a standart, not a draft)

  40. a web developer says:

    Irony

    the problem with ie6 is bad implementatio of css (bugs) and lack of vendor prefix. If ie 6 have service packs that fix their bugs and if css in these days have vendor prefix them there are no problem.

    But today there are vendor prefix. No excuse to implement these drafts. Other browser already implemented

  41. Irony says:

    @ a web developer

    I would say the problem used to be lack of test suits.  

    Microsoft has now gone above and beyond in that regard.

    How exactly do you prefix HTML5 (HTML) Forms?  You can't.

    It's a decent solution for CSS when vendors actually prefix which I've noticed many don't … at best prefixing has been intermittent.

    Prefixing makes testing on real pages nice, but I think devs more often than not abuse it and attempt to use that in live scenarios.

    Now your writing rules 5 times with different prefixes.  Let's say FF3.x  uses a prefix for something, then the spec changes after they have moved on to only supporting 4.x.

    Now you have a prefixed rule for 3.x, plus a hack to make it perform to the updated spec, plus the non-prefixed rule for FF4? … and that's only one browser.  I don't like that.

    Basically, I know what you are saying … but I personally do not like that as a solution.

  42. Crescens2k says:

    @a web developer

    You do realise that even the most stable parts of a working draft can get changed right? It happened with the C++0x standard after Microsoft implemented two of the features in VC++. One of the features was changed early enough for them to have modified it in the compiler, but the other one didn't, so now there is a feature in the compiler which isn't exactly compliant to the draft standard and that part was stable for a while before.

    If it can happen to one then it can happen to them all, and as was said, because IE9 has a longer release cycle than other browsers then these things will most likely not be fixed any time soon. Your social networking site would then have to have lots of ugly hacks in to support IE9, and I'm sure that would annoy you even more.

  43. EricLaw [MSFT] says:

    @John: Yes, it appears that the very latest builds of Process Explorer regressed the display of the ASLR column for the per-module view. It worked properly in older builds, so I'm not sure what went wrong. This regression was first noted on the SysInternals forums in Dec 2010.

    @Stilgar: Yes, AX Filtering breaks posting comments on the blog in the current version of the blog software; we've filed a bug on the bad pattern that the site is using, and we'll be writing a blog post on exactly what's wrong with the site (preferring ActiveX over native methods) in the next few weeks.

    @Fleet Command: Indeed, a fair point, although many folks don't follow the SDL closely and have found this information interesting.

    @Andrew: ASLR is, in fact, a critical feature to mitigate ROP attacks, and that's why you're starting to see its increasingly broad adoption by modern operating systems (e.g. WinVista, latest Mac OS, etc). ASLR on its own isn't of use, of course, you need to couple it with DEP/NX or the bad guy need not use ROP at all.

    I'm not sure what you were looking at in OllyDbg, but the memory layouts in XP vs. Win7 are significantly different, and change in Win7 on every boot. Also, please keep in mind that IE8+ already run individual tabs in different processes thanks to a feature called "Loosely coupled IE."

    @jun: I'm not sure what feature you're asking about. IE has many features to control ActiveX, including ActiveX Opt-in, Per-Site ActiveX, and new to IE9, ActiveX Filtering.

  44. eastern european hacker says:

    Security on IE is the good.  Please to not change it at all.  Is very very strong.

  45. Stilgar says:

    @EricLaw thank you. I've been posting comments with Firefox since IE9 RC not knowing what went wrong. I reasoned you may be referencing JS library from an external resource and checked for tracking protection but it did not occur to me that the ActiveX filtering may be the problem.

  46. Marcos says:

    You know why IE 9 will fail? It's not because we all hate IE 6, but because users rely on plugins. The browser it's not just a client rendering engine, if that was the case we could ship just webkit. The web is all about PLUGINS/ADDONS. There are tons of addons for the other browser, such as Mozilla Firefox and Chrom(e/ium). Developers are very motivated to create plugin for OPEN browsers or browsers that RESPECT standards (Opera). Now IE don't respect standars nor is open.

    So, in conclusion,

    IE is a fail.

  47. ClueTrain says:

    Marcos: Uh, Opera isn't exactly a success story, nor do they have a successful plugin model.

    Chrome and Firefox both have plugin models that aren't based on open standards, and they break many plugins with every release of their browser.

    Of all the browsers, only IE has managed to keep most of their browser plugins working from one release to the next.

    So, in conclusion, your comment is a fail.

  48. Anand says:

    Title:DEP/ASLR Implementation Progress in Popular Third-party Windows .

    Ref:secunia.com/…/DEP_ASLR_2010_paper.pdf

    8. Google Chrome

    While DEP has been enabled on both Windows 7 (Vista) and Windows XP from the first 1.x stable

    releases (late 2008), the icudt42.dll library is loaded at fixed address 0x4AD00000 in version

    4.1.249.1064. Other icudt*.dll versions are loaded at fixed addresses in previous versions. The first

    stable version to enable dynamic allocation of the library was 5.0.375.55, released May 2010

  49. jf says:

    Hi,

    When you say "eliminate predictable memory mappings" it is unclear to me; do you mean to say you've eliminated some of the DLLs that were not randomized? Or did you address issues with deterministic TEBs, not-nearly random enough thread stack layouts that lead to lols for stack addresses? Is the system call interface page now randomized? et cetera

  50. Aerankas says:

    Personally I think the reason Chrome and Firefox are going to continue to become more popular (asides from the fact that they are WAY faster to open and operate) is they lack this whole concept of versions.  With IE, you get a version, it supports what it supports, end of story (generalizing).  Chrome updates -all the time- without my intervention, so when things change, so does my browser.  If you're using draft features (as a dev), you are obviously aware that they're draft so you have to pay attention to them and what's happening with the standard.  Standard changes, site gets updated, browser gets updated, you're good to go… after you hack in a fix for IE.  As for security, as a technical guy, I get to help my friends out with computer problems when they have them.  It's about 50% networking problems, 50% malware and viruses.  Every one of these non-technical people that actually gets viruses (when was the last time I got a virus?  Uh…. like 1999 before I knew better?) uses IE.  No lie, every SINGLE one, and probably have expired McAfee or Symantec.  So I fix them up, reformat, whatever it happens to take.  Then I install chrome, MSE and Malwarebytes and they never come back.  It probably helps that I berate them endlessly for getting infected but the point is, security can be more about education than product coding, and because tech is so prevalent but the knowledge isn't… well people click the shiny link to "scan my computer now to make is fasssster!!"

  51. jesus says:

    What a bunch of useless comments here. I'd like to thank ieblog, Eric and Microsoft for the great job they did on Windows 7 and IE 9. Rock on.