Microsoft Details IE 8 Security Default Change

Microsoft plans to make a key Internet Explorer default change to thwart attackers trying to hack into its Web browser. The software maker will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when the browser is running on Windows Vista and Windows Server 2008, a major tweak aimed at mitigating browser-based vulnerabilities. DEP/NX is already available in IE 7, but it's turned off by default because of compatibility issues.

With the default change, IE 8 automatically gets a security feature that prevents an application or service from executing code from a nonexecutable memory region. When used in tandem with additional security mechanisms, DEP/NX can help to reduce the effectiveness of hacker attacks.

According to Microsoft Program Manager Eric Lawrence, the DEP/NX protection will apply to Internet Explorer and all add-ons loaded by the browser. "No additional user interaction is required to provide this protection, and no new prompts are introduced," Lawrence said.

View: Full Article @ eWeek

Report a problem with article
Previous Story

Microsoft Exec: UAC Designed To 'Annoy Users'

Next Story

"Rock Band" European Date and Price Announced

22 Comments

Commenting is disabled on this article.

Yes and Microsoft want to get this out before June ahead of Firefox 3...? as we all know from the past whenever there is a run for the post Microsoft always pitch for the post ahead of anybody else. And the results are patches after patches and disappointment around.


by default in IE 8 when the browser is running on Windows Vista and Windows Server 2008

this means that we can forget to see IE8 on XP?

yeah ... why not just make everything modular .... if the user wants to install ie, then do it, if not let them install something else ... that will fix a lot of problems ms/ie is having right now

under vista it is not enabled by default,xp does not have that option and indeed the more security added the better and it looks like ie8 will not be for xp.if addon companies/people did write things properly there would not be these problems like compatability errors n such.

Theoretically under XP you could enable this protection by popping into System > Advanced > Settings (under Performance) > the DEP tab > and select the second option button to Turn DEP on for everything. Granted a few applications might start acting up, which in that case you can exclude them in the given list.

But then again, XP IE7 or IE8 still doesn't have a virtual sandbox without resorting to things like Sandboxie.

Also why would MS release a IE8 beta for Vista AND XP, then somewhere along the line just admit that IE8 won't be coming to XP after all? Better release something than nothing, even if it's a bit cut down from its Vista sibling.

(rm20010 said @ #9.1)
Also why would MS release a IE8 beta for Vista AND XP, then somewhere along the line just admit that IE8 won't be coming to XP after all? Better release something than nothing, even if it's a bit cut down from its Vista sibling.

Huh? I never heard/read that IE8 won't be available for XP... I mean, XP SP3 is supposed to be released soon, and I doubt MS would do something so ridiculous as to make IE8 only for Vista and Server 2008, effectively excluding Server 2003. I don't put anything past MS these days, but to think that they would do something like that is madness IMHO. After all, IE6 was released for Windows 98, even if it didn't quite work as well as it did on later versions of Windows (it used to crash a lot on my friends' computers... no clue why). Windows 98 support was supposed to be discontinued in 2004, 3 years after IE6 was released (due to its popularity, the date was extended).

I guess I am hoping that history repeats itself. Sure, we don't have Protected Mode in IE7 on XP, for example, but that is because the feature is tied into a Vista-specific feature. Oh well. That's what Virtual PC is for when it comes to IE testing. :P

I thought this was enabled all across the board by default since XP SP2 and in Vista x64? So is IE the only app that's protected by NX so far, and really only the capability is there but apps aren't using it?

XP SP2 made it opt-in. By default most Windows components are under DEP/NX protection, not all. In x64 versions, however, it is enabled by default. In fact there is no way to turn it off.

(soumyasch said @ #8.1)
XP SP2 made it opt-in. By default most Windows components are under DEP/NX protection, not all. In x64 versions, however, it is enabled by default. In fact there is no way to turn it off.

So IE wasn't running with NX enabled previously except on x64? So this only affects 32-bit XP and 32-bit Vista pretty much.

Yup. More security by default, the better. Let the more advanced users toggle settings to their hearts content, But let the average users be safe from the get-go.

Lets hope people don't complain about this as they do about UAC.

(chaosblade said @ #7)
Yup. More security by default, the better. Let the more advanced users toggle settings to their hearts content, But let the average users be safe from the get-go.

Lets hope people don't complain about this as they do about UAC.

I for one could never understand the ****ing and moaning that ensued with the UAC; sure, I can't stand Windows Vista, but UAC was pretty damn low on my list of grievances. Once you got the machine setup, and software installed, and actually USED THE USER DIRECTORIES INSTEAD OF CREATING NEW DIRECTORIES IN THE SYSTEM DIRECTORIES, things were peachy. Yes, I did that in cap locks because of the number of half witts who insist on not using the user based direct structure to keep user files seperate from the system.

Good. This is the first thing I did after I installed Vista and Windows server 2008.
No problems so far.

Its the 'Enable memory protection to help mitigate online attacks' setting in Internet Options->Advanced tab (Need to run as with admin permissions to set this setting).

and if 3rd parties would write their code correctly, there would not be that many compatability issues when they move forward... most compatabilty issues come from the fact people sway from what is accepted coding standards or using undocumented procedures or api's

Sounds like a good idea to me, though I am kinda curious about the mentioned compatibility issues. Anyone know what kind of issues they would be?

I'm worried about this too. After all, if IE7 has issues, what kind? Incompatibility with certain add-ons? Incompatibility with XP and certain IE7-specific features, perhaps?

If there won't be any harm in it, I will look forward to this, along with IE8 in general. ^_^

Sun Java crashes DEP reliably, and I do believe Adobe Reader did as well (though that may've been fixed). I can only imagine what would happen for poor Joe-Internet with his toolbar-for-every-program-installed setup.

(rpgfan said @ #3.1)
I'm worried about this too. After all, if IE7 has issues, what kind? Incompatibility with certain add-ons? Incompatibility with XP and certain IE7-specific features, perhaps?

If there won't be any harm in it, I will look forward to this, along with IE8 in general. ^_^

Maybe instead of worrying, you should start putting the hard word on these software vendors like Adobe, Sun and Apple, and tell them to get their act together in regards to security. Simply ****ing and moaning about Microsoft's need to tighten security doesn't help anyone.