Microsoft Details IE 8 Security Default Change
link: original article - section: microsoft
The company will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when running on Windows Vista and Windows Server 2008.
Microsoft plans to make a key Internet Explorer default change to thwart attackers trying to hack into its Web browser.
The software maker will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when the browser is running on Windows Vista and Windows Server 2008, a major tweak aimed at mitigating browser-based vulnerabilities.
DEP/NX is already available in IE 7, but it's turned off by default because of compatibility issues.
With the default change, IE 8 automatically gets a security feature that prevents an application or service from executing code from a nonexecutable memory region. When used in tandem with additional security mechanisms, DEP/NX can help to reduce the effectiveness of hacker attacks.
According to Microsoft Program Manager Eric Lawrence, the DEP/NX protection will apply to Internet Explorer and all add-ons loaded by the browser. "No additional user interaction is required to provide this protection, and no new prompts are introduced," Lawrence said.
This means that IE add-on developers will have to make code changes to ensure a smooth ride once IE 8 is released to the general public.
Microsoft's recommendations to IE developers include:
# If code depends on older versions of ATL (Active Template Library), please rebuild it with ATL v7.1 Service Pack 1 or later (Visual Studio 2005 includes ATL 8.0).
# Set the /NXCompat linker option to indicate that an extension is compatible with DEP/NX.
# Test code with DEP/NX enabled using IE 8 Beta 1 on Windows Vista SP1. (Alternatively, test with IE 7 on Windows Vista after enabling the DEP/NX option. To enable DEP/NX for IE 7, Run IE as an administrator, then set the appropriate checkbox in the Tools > Internet Options > Advanced tab.)
# Opt code into other available defenses like stack defense (/GS), safe exception handling (/SafeSEH) and ASLR (/DynamicBase)
