Additional information about DEP and the Internet Explorer 0day vulnerability

The new Internet Explorer security vulnerability described by Microsoft Security Advisory 979352 has received a lot of interest over the past few days. The Internet Explorer team is hard at work preparing a comprehensive security update to address the vulnerability and the MSRC announced today that as soon as the update is ready for broad distribution, it will be released.

We have heard several questions from customers attempting to protect their environment in the meantime. Most questions have been around Data Execution Prevention (DEP), a mitigation we discussed in our previous blog post. To help you better understand DEP specifically as it relates to Internet Explorer 8, we have prepared the following video where I discuss some of the higher level concepts:

Get Microsoft Silverlight More listening and viewing options:

To summarize:

Which versions of Internet Explorer have enabled DEP by default?

Hardware-enforced DEP is enabled by default for Internet Explorer on the following platforms:

· Internet Explorer 8 on Windows XP Service Pack 3,

· Internet Explorer 8 on Windows Vista Service Pack 1 and later,

· Internet Explorer 8 on Windows Server 2008, and

· Internet Explorer 8 on Windows 7.

Windows 2000 has no support for hardware-enforced DEP. Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Vista support hardware-enforced DEP do not have the SetProcessDEPPolicy API that Internet Explorer 8 uses to enable DEP.

How can users of other versions of Windows or Internet Explorer enable DEP?

Windows XP SP2 and Windows Vista RTM users can click this button to launch an MSI that will enable DEP for Internet Explorer.

How can you determine whether hardware-enforced DEP is available with your hardware?

Microsoft KB 912923 describes in more detail how to determine that hardware DEP is available and configured on your computer.

What is the difference between "Software DEP" and hardware-enforced DEP (/NX)?

"Software DEP" is unfortunately really not DEP at all. "Software DEP" is just another name for /SAFESEH [MSDN link]. Unfortunately, /SAFESEH is not an effective mitigation for this vulnerability. Only hardware-enforced DEP disrupts exploits attempting to abuse this vulnerability.

Does IE’s DEP behave differently in the Intranet Zone (as compared to the Internet Zone)?

DEP itself is enabled per process, regardless of application-layer content. However, a well-known DEP bypass is used by attackers to mark pages executable using .NET classes. IE8 does not allow these .NET class to load in the Internet Zone. In the Intranet Zone, the .NET classes are allowed to load. Therefore, an attacker capable of hosting content on your corporate network may be able to bypass DEP and successfully exploit this vulnerability.

We hope that helps answer questions you may have had about DEP.

Jonathan Ness

*This posting is provided "AS IS" with no warranties, and confers no rights*