Enhanced Security with SEHOP

Windows Vista SP1 introduced an interesting new memory protection known as SEHOP, which works with other memory protection techniques (like DEP/NX, ASLR, etc) to help prevent exploitation of a specific type of memory-related vulnerability known as SEH-overwrite.

As described in Microsoft KB article #956607:

Windows Vista Service Pack 1 and Windows Server 2008 now include support for Structured Exception Handling Overwrite Protection (SEHOP). This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option.

SEHOP is enabled by default on Windows Server 2008 and disabled by default on Windows Vista SP1 and Windows 7.

Vista SP1/SP2 users can enable SEHOP for all applications using the "Fix it" button in the KB article.  One caveat: there are a handful of applications described in the KB article that may not be compatible with SEHOP; Skype is probably the most popular application cited, but I've used Skype with SEHOP enabled without encountering any problems.

The good news is that Windows 7 users can enable SEHOP specifically for just IE by updating iexplore.exe's Image File Execution Options registry key with a new DWORD named DisableExceptionChainValidation, set to 0.  You can easily do this using a registry script.

Update: IE9 is opt-ed in to SEHOP by default-- no configuration required!

-Eric