Internet Explorer 9 Security Part 1: Enhanced Memory Protections

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

jesus — Thu, 10 Mar 2011 21:47:09 GMT

What a bunch of useless comments here. I'd like to thank ieblog, Eric and Microsoft for the great job they did on Windows 7 and IE 9. Rock on.

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

Aerankas — Thu, 10 Mar 2011 17:23:23 GMT

Personally I think the reason Chrome and Firefox are going to continue to become more popular (asides from the fact that they are WAY faster to open and operate) is they lack this whole concept of versions. With IE, you get a version, it supports what it supports, end of story (generalizing). Chrome updates -all the time- without my intervention, so when things change, so does my browser. If you're using draft features (as a dev), you are obviously aware that they're draft so you have to pay attention to them and what's happening with the standard. Standard changes, site gets updated, browser gets updated, you're good to go... after you hack in a fix for IE. As for security, as a technical guy, I get to help my friends out with computer problems when they have them. It's about 50% networking problems, 50% malware and viruses. Every one of these non-technical people that actually gets viruses (when was the last time I got a virus? Uh.... like 1999 before I knew better?) uses IE. No lie, every SINGLE one, and probably have expired McAfee or Symantec. So I fix them up, reformat, whatever it happens to take. Then I install chrome, MSE and Malwarebytes and they never come back. It probably helps that I berate them endlessly for getting infected but the point is, security can be more about education than product coding, and because tech is so prevalent but the knowledge isn't... well people click the shiny link to "scan my computer now to make is fasssster!!"

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

jf — Wed, 09 Mar 2011 22:32:27 GMT

Hi,

When you say "eliminate predictable memory mappings" it is unclear to me; do you mean to say you've eliminated some of the DLLs that were not randomized? Or did you address issues with deterministic TEBs, not-nearly random enough thread stack layouts that lead to lols for stack addresses? Is the system call interface page now randomized? et cetera

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

Anand — Wed, 09 Mar 2011 14:17:49 GMT

Title:DEP/ASLR Implementation Progress in Popular Third-party Windows .

Ref:secunia.com/.../DEP_ASLR_2010_paper.pdf

8. Google Chrome

While DEP has been enabled on both Windows 7 (Vista) and Windows XP from the first 1.x stable

releases (late 2008), the icudt42.dll library is loaded at fixed address 0x4AD00000 in version

4.1.249.1064. Other icudt*.dll versions are loaded at fixed addresses in previous versions. The first

stable version to enable dynamic allocation of the library was 5.0.375.55, released May 2010

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

ClueTrain — Wed, 09 Mar 2011 08:56:30 GMT

Marcos: Uh, Opera isn't exactly a success story, nor do they have a successful plugin model.

Chrome and Firefox both have plugin models that aren't based on open standards, and they break many plugins with every release of their browser.

Of all the browsers, only IE has managed to keep most of their browser plugins working from one release to the next.

So, in conclusion, your comment is a fail.

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

Marcos — Wed, 09 Mar 2011 01:28:05 GMT

You know why IE 9 will fail? It's not because we all hate IE 6, but because users rely on plugins. The browser it's not just a client rendering engine, if that was the case we could ship just webkit. The web is all about PLUGINS/ADDONS. There are tons of addons for the other browser, such as Mozilla Firefox and Chrom(e/ium). Developers are very motivated to create plugin for OPEN browsers or browsers that RESPECT standards (Opera). Now IE don't respect standars nor is open.

So, in conclusion,

IE is a fail.

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

Stilgar — Tue, 08 Mar 2011 22:20:07 GMT

@EricLaw thank you. I've been posting comments with Firefox since IE9 RC not knowing what went wrong. I reasoned you may be referencing JS library from an external resource and checked for tracking protection but it did not occur to me that the ActiveX filtering may be the problem.

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

eastern european hacker — Tue, 08 Mar 2011 20:27:20 GMT

Security on IE is the good. Please to not change it at all. Is very very strong.

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

EricLaw [MSFT] — Tue, 08 Mar 2011 18:19:48 GMT

@John: Yes, it appears that the very latest builds of Process Explorer regressed the display of the ASLR column for the per-module view. It worked properly in older builds, so I'm not sure what went wrong. This regression was first noted on the SysInternals forums in Dec 2010.

@Stilgar: Yes, AX Filtering breaks posting comments on the blog in the current version of the blog software; we've filed a bug on the bad pattern that the site is using, and we'll be writing a blog post on exactly what's wrong with the site (preferring ActiveX over native methods) in the next few weeks.

@Fleet Command: Indeed, a fair point, although many folks don't follow the SDL closely and have found this information interesting.

@Andrew: ASLR is, in fact, a critical feature to mitigate ROP attacks, and that's why you're starting to see its increasingly broad adoption by modern operating systems (e.g. WinVista, latest Mac OS, etc). ASLR on its own isn't of use, of course, you need to couple it with DEP/NX or the bad guy need not use ROP at all.

I'm not sure what you were looking at in OllyDbg, but the memory layouts in XP vs. Win7 are significantly different, and change in Win7 on every boot. Also, please keep in mind that IE8+ already run individual tabs in different processes thanks to a feature called "Loosely coupled IE."

@jun: I'm not sure what feature you're asking about. IE has many features to control ActiveX, including ActiveX Opt-in, Per-Site ActiveX, and new to IE9, ActiveX Filtering.

re: Internet Explorer 9 Security Part 1: Enhanced Memory Protections

Crescens2k — Tue, 08 Mar 2011 17:42:08 GMT

@a web developer

You do realise that even the most stable parts of a working draft can get changed right? It happened with the C++0x standard after Microsoft implemented two of the features in VC++. One of the features was changed early enough for them to have modified it in the compiler, but the other one didn't, so now there is a feature in the compiler which isn't exactly compliant to the draft standard and that part was stable for a while before.

If it can happen to one then it can happen to them all, and as was said, because IE9 has a longer release cycle than other browsers then these things will most likely not be fixed any time soon. Your social networking site would then have to have lots of ugly hacks in to support IE9, and I'm sure that would annoy you even more.