IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Enhanced Security with SEHOP

Enhanced Security with SEHOP

  • Comments 2

Windows Vista SP1 introduced an interesting new memory protection known as SEHOP, which works with other memory protection techniques (like DEP/NX, ASLR, etc) to help prevent exploitation of a specific type of memory-related vulnerability known as SEH-overwrite.

As described in Microsoft KB article #956607:

Windows Vista Service Pack 1 and Windows Server 2008 now include support for Structured Exception Handling Overwrite Protection (SEHOP). This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option.

SEHOP is enabled by default on Windows Server 2008 and disabled by default on Windows Vista SP1 and Windows 7.

Vista SP1/SP2 users can enable SEHOP for all applications using the "Fix it" button in the KB article.  One caveat: there are a handful of applications described in the KB article that may not be compatible with SEHOP; Skype is probably the most popular application cited, but I've used Skype with SEHOP enabled without encountering any problems.

The good news is that Windows 7 users can enable SEHOP specifically for just IE by updating iexplore.exe's Image File Execution Options registry key with a new DWORD named DisableExceptionChainValidation, set to 0.  You can easily do this using a registry script.

Update: IE9 is opt-ed in to SEHOP by default-- no configuration required!

-Eric

  • After enabling SEHOP for all applications on Windows 7 using "Fix it", when starting Internet Explorer, it always hang and restart. Is it different between enabling the feature on only Internet Explorer as you provide a solution on this post and enabling the feature on all applications? And what should I do?

  • @Nuntawat: Do you see the problem if you start IE in "No Addons" mode using the link in the start menu?

Page 1 of 1 (2 items)
Leave a Comment
  • Please add 6 and 5 and type the answer here:
  • Post