Protecting Browsers with Defense In Depth Techniques

Protecting Windows customers is an absolute priority for the Internet Explorer engineering team.  That's why we work hard to make sure our browser has some of the best safety and privacy features available today.  We've spent a lot of time talking about some of the more visible safety and privacy features like our SmartScreen Filter, that protects users from

socially engineered malware and phishing attacks; or the InPrivate features that put you in control of how you share your information.

But there are a number of other features that aren't as visible and help prevent vulnerabilities from being exploited, though some are only available on newer platforms like Windows Vista or Windows 7.  For example, Protected Mode helps ensure exploited code cannot access system or other resources.  Address Space Layout Randomization (ASLR)helps prevent attackers from getting memory addresses to use in buffer overflow situations.  Data Execution Prevention (DEP) helps to foil attacks by preventing code from running in memory that is marked non-executable.  These defense in depth protections are designed to make it significantly harder for attackers to exploit vulnerabilities. 

One way to think about what defense in depth techniques do is similar to the features offered by fire-proof safes that make them last longer in a fire.  Without defense in depth techniques, a fire-proof safe may only protect its contents for an hour or two.  A stronger fire-proof safe with several defense in depth features still won't guarantee the valuables forever, but adds significant time and protection to how long the contents will last.

Recently, there has been some news from some security researchers about how they've managed to bypass DEP or ASLR in Internet Explorer (and Firefox as well).  But like the fire-proof safe example above, defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability.  Defense in depth features, including DEP and ASLR continue to be highly effective protection mechanisms.

Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them - they're on by default.  That's one of the reasons why we encourage users to make sure they're running the latest and most up-to-date software.

souce: windowsteamblog