Protecting Browsers with Defense In Depth Techniques

Protecting Browsers with Defense In Depth Techniques

  • Comments 7
  • Likes

Posted on half of Pete LePage on the Internet Explorer team.

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That's why we work hard to make sure our browser has some of the best safety and privacy features available today.  We've spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren't as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they've managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them - they're on by default.  That's one of the reasons why we encourage users to make sure they're running the latest and most up-to-date software.

7 Comments
You must be logged in to comment. Sign in or Join Now
  • I am working one of the largest Win 7 /Server 2008 R2 rollouts, and because the client does not allow Internet access to

    the "Win  7 gold image" development we are working on, the HIPS failed to register its TCP stack changing firewall certificate. I am digging all over to find more on this imporatant Win 7 protection that requires any change inthe TCP stack be certified thru Microsoft registartion or accepted by the user. Any info on how the windows 7 Cert Mgr interacts in Win 7 TCP stack and interrogates the Microsoft CRL across the Internet and these changes, appreciate the point in the right direction?

  • Hello, I was wondering how to go about getting a list of hashes of all know Microsoft products. I am trying to create a white list to aid in finding malware across large networks.

    Thank you,

  • @Linux-User

    You never say anything positive. I've checked all your posts. -_- Go away.

  • Tommyinoz
    46 Posts

    Having a web browser integrated into the OS sucks.

  • "Please develop IE9 for XP. It's better for the web and web developers."

    Little correction:

    Please stop developing browsers. It's better for the web and web developers.

  • I would like to agree with the above comment, yes Microsoft please develop IE9 for XP. But why you guys are always praising IE, everyone out there know that IE is not as secure as you say. Isn't it?

  • anonymuos
    87 Posts

    Please develop IE9 for XP. It's better for the web and web developers.