IT Security & Network Security News & Reviews - eWeek



IT Security & Network Security News

Microsoft Details IE 8 Security Default Change


By: Ryan Naraine
2008-04-09
Article Rating:starstarstarstarstar / 10


There are  user comments on this IT Security & Network Security News & Reviews story.


The company will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when running on Windows Vista and Windows Server 2008.

SAN FRANCISCO—Microsoft plans to make a key Internet Explorer default change to thwart attackers trying to hack into its Web browser.

The software maker will enable DEP/NX (Data Execution Prevention/No Execute) by default in IE 8 when the browser is running on Windows Vista and Windows Server 2008, a major tweak aimed at mitigating browser-based vulnerabilities.
DEP/NX is already available in IE 7, but it's turned off by default because of compatibility issues.

With the default change, IE 8 automatically gets a security feature that prevents an application or service from executing code from a nonexecutable memory region. When used in tandem with additional security mechanisms, DEP/NX can help to reduce the effectiveness of hacker attacks.

According to Microsoft Program Manager Eric Lawrence, the DEP/NX protection will apply to Internet Explorer and all add-ons loaded by the browser. "No additional user interaction is required to provide this protection, and no new prompts are introduced," Lawrence said.

What kind of security features do people expect to see in IE 8? Click here to read more. 

This means that IE add-on developers will have to make code changes to ensure a smooth ride once IE 8 is released to the general public.

Microsoft's recommendations to IE developers include:

  • If code depends on older versions of ATL (Active Template Library), please rebuild it with ATL v7.1 Service Pack 1 or later (Visual Studio 2005 includes ATL 8.0).
  • Set the /NXCompat linker option to indicate that an extension is compatible with DEP/NX.
  • Test code with DEP/NX enabled using IE 8 Beta 1 on Windows Vista SP1. (Alternatively, test with IE 7 on Windows Vista after enabling the DEP/NX option. To enable DEP/NX for IE 7, Run IE as an administrator, then set the appropriate checkbox in the Tools > Internet Options > Advanced tab.)
  • Opt code into other available defenses like stack defense (/GS), safe exception handling (/SafeSEH) and ASLR (/DynamicBase)

    • "In rare cases where an add-on is not DEP/NX-compatible for reasons other than outdated ATL usage, a group policy option will be available to allow an organization to opt out of DEP/NX for Internet Explorer until an updated version of the broken add-on can be deployed," Lawrence said.

    He also said the DEP/NX change means IE 8's new security features will target three major sources of security exploits—social engineering, and Web server- and browser-based vulnerabilities. It will feature a revamped anti-phishing/anti-malware component called Safety Filter, which blocks Web sites that are known to contain malicious software that could harm users' computers or steal sensitive user information.

    Lawrence said IE 8 will also offer greater control over ActiveX controls and new AJAX (Asynchronous JavaScript and XML) features, XDomainRequest and XDM, for safer mashups.







     
     
    >>> More IT Security & Network Security News & Reviews Articles          >>> More By Ryan Naraine
     


    FEATURED SPONSOR VIDEOS

    Benefits of Workload Optimization

    What Smart Companies MUST Learn from Gaming

    Advances in Authentication

    Vertical Markets Benefit from Workload Optimization

    View More Videos

    Brought to you by
    Advertisement

    FEATURED SPONSOR MESSAGE

    Microsoft Sponsored Resource Center

    Increase Your Microsoft Office 365 Knowledge! Dig inside this suite of cloud-based collaboration tools.

    Watch the video >>

    Brought to you by

    Suggested Related Content:

    Articles Labs/How-To Multimedia


    Advertisement
    Contact Us | About | Advertise | Site Map
    eWEEK Quick LInks

    Security:
    Enterprise Networking
    Network Security
    Infrastructure Security
    How To: Data
    Security Watch Blog
    Storage:
    Data Storage
    Cloud Storage
    Storage Virtualization
    Network Access Storage
    How To: Storage
    Storage Station Blog
    Computing:
    Apple OSX
    Linux Systems
    Windows 7
    Managed Print Services
    Computer Reviews
    Microsoft Watch Blog
    Google Watch Blog
    Communications:
    VoIP Solutions
    Wireless Technology
    Messaging Software
    Web Services
    Apps & Development:
    Application Development
    Enterprise Apps
    Search Engines
    Database Software
    Web 2.0
    CIOs

    Vertical Markets:
    Federal Government IT
    Health Care IT
    Finance IT
    Mid-Market
    Channel and VARs
    Careers Blog
    More eWeek Links:
    Green Computing Center
    Tech Knowledge Center
    Tech Newsletters
    Tech RSS Feeds
    White Papers
    Tech Videos
    Magazine Subscriptions
    Enterprise Websites:
    ZDE Home
    eWeek
    Baseline Magazine
    Channel Insider
    CIO Insight
    eSeminars and Events
    Web Buyers Guide
    Developer Websites:
    DevSource C# and .Net
    Dev Shed
    DeveloperShed
    ASP Free
    SEO Chat
    Codewalkers
    Tutorialized
    Scripts.com
    Dev Mechanic
    Dev Articles
    Web Hosters
    Dev Hardware
    Technology Websites:
    Device Forge
    Desktop Linux
    Linux Devices
    Windows for Devices
    PDF Zone
    Linux Watch
    TechDirect
    Windows Migration
    Smarter Technology

    Use of this site is governed by our Terms of Use and Privacy Policy
    Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
    ZDE Cluster 10
     
    Close this advertisement