IE8 Security Details Emerge

[phernandez]

Redmond shares some details on Internet Explorer 8's security features.

IE8 Security Part I: DEP/NX Memory Protection - IEBlog

Internet Explorer 7 on Windows Vista introduced an off-by-default Internet Control Panel option to “Enable memory protection to help mitigate online attacks.” This option is also referred to as Data Execution Prevention (DEP) or No-Execute (NX).

We have enabled this option by default for Internet Explorer 8 on Windows Server 2008 and Windows Vista SP1 and later.

DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable. DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced.

Thumbs up for this inclusive form of protecting plug-ins (if it works).

[oofki]

lol next weeks headline will be "New DEP/NX in IE 8.0 Beta bypassed"

The only thing that will be good about ie 8 is that it will follow standards and pass acid 2.0

[JPnyc]

Unfortunately, not even that. The program is still in beta so I'm not getting too crazy about this, but IE 8 has no opacity support at all, not even the filters it used to have.

[oofki]

You mean for pictures?

[JPnyc]

For anything. Any HTML element could have it's opacity changed with CSS, and although IE5 thru 7 did support the wrong syntax (proprietary syntax for MS) at least it WAS supported somehow. I understand IE8 has removed the support entirely.

[oofki]

Thats pretty weird haha. I wasnt thinking about CSS but, CSS does support it and as long as they follow the standards it should work... Maybe they just took out their own crap

[nihil]

Yes it is weird. Sure they have removed their non-standard filter approach to comply with standards but haven't provided anything for CSS3.

I have heard that a definitive standard for CSS3 has still to be agreed? that might explain why it hasn't been included.

What strikes me as strange is that there wasn't an attempt to provide an "interim solution" as other browsers have. Particularly when you look at all the "eye candy" in the higher levels of Vista.

[oofki]

This is true maybe they are waiting for 3.0

[JPnyc]

Yes, that's true, it's not part of the standard officially yet, but there was no reason for them to remove their filters. In some ways they were well ahead of the standard, as they may have been the first ones to support opacity in any form. They also have other filters that can do things you can't do with CSS in any other browser, like reverse images, flip them upside down, or show them as a negative of the image. CSS doesn't do any of that yet.

IE gets a bad rap because of its security issues, but when you build in greater possibilities the potential that those possibilities will be exploited maliciously is always present.

They would have been much better off leaving the filters as they were and just including support for the syntax that has been suggested by the worldwide consortium. That way there would have been backward compatibility for existing sites which use those filters. But the program is still in beta, no reason to panic yet.

[JukEboX]

I am currently enjoying IE8 and all the new functions. The one issue I have with it is that IE8 has a memory leak when processing some sites such as this forum and others.