The company will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when running on Windows Vista and Windows Server 2008.
SAN FRANCISCO—Microsoft plans to make a key Internet Explorer default change to thwart attackers trying to hack into its Web browser.
The software maker will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when the browser is running on Windows Vista and Windows Server 2008, a major tweak aimed at mitigating browser-based vulnerabilities.
DEP/NX is already available in IE 7, but it's turned off by default because of compatibility issues.
With the default change, IE 8 automatically gets a security feature that prevents an application or service from executing code from a nonexecutable memory region. When used in tandem with additional security mechanisms, DEP/NX can help to reduce the effectiveness of hacker attacks.
According to Microsoft Program Manager Eric Lawrence, the DEP/NX protection will apply to Internet Explorer and all add-ons loaded by the browser. "No additional user interaction is required to provide this protection, and no new prompts are introduced," Lawrence said.
This means that IE add-on developers will have to make code changes to ensure a smooth ride once IE 8 is released to the general public.
Microsoft's recommendations to IE developers include:
If code depends on older versions of ATL (Active Template Library), please rebuild it with ATL v7.1 Service Pack 1 or later (Visual Studio 2005 includes ATL 8.0).
Set the /NXCompat linker option to indicate that an extension is compatible with DEP/NX.
Test code with DEP/NX enabled using IE 8 Beta 1 on Windows Vista SP1. (Alternatively, test with IE 7 on Windows Vista after enabling the DEP/NX option. To enable DEP/NX for IE 7, Run IE as an administrator, then set the appropriate checkbox in the Tools > Internet Options > Advanced tab.)
Opt code into other available defenses like stack defense (/GS), safe exception handling (/SafeSEH) and ASLR (/DynamicBase)
"In rare cases where an add-on is not DEP/NX-compatible for reasons other than outdated ATL usage, a group policy option will be available to allow an organization to opt out of DEP/NX for Internet Explorer until an updated version of the broken add-on can be deployed," Lawrence said.
He also said the DEP/NX change means IE 8's new security features will target three major sources of security exploits—social engineering, and Web server- and browser-based vulnerabilities. It will feature a revamped anti-phishing/anti-malware component called Safety Filter, which blocks Web sites that are known to contain malicious software that could harm users' computers or steal sensitive user information.
Lawrence said IE 8 will also offer greater control over ActiveX controls and new AJAX (Asynchronous JavaScript and XML) features, XDomainRequest and XDM, for safer mashups.
Source: Eweek