Microsoft plans to make a key Internet Explorer default change to thwart attackers trying to hack into its Web browser. The software maker will enable DEP/NX by default in IE 8 when the browser is running on Windows Vista and Windows Server 2008, a major tweak aimed at mitigating browser-based vulnerabilities. DEP/NX (Data Execution Prevention/No Execute) is already available in IE 7, but it’s turned off by default because of compatibility issues.
Microsoft Details IE 8 Security Default Change
About The Author
Follow me on Twitter @thomholwerda
2008-04-10 7:11 amThom Holwerda
But not on Windows XP, despite DEP being available.
Here starts obsolescence!
Well, XP is now 7 years old. Gotta pull the plug some time.
2008-04-10 7:24 amKroc
Sure, but this is the security of the web browser on potentially hundreds of millions of computers. Being that flippant with other people’s security is a terrible display of weakness and I hope it comes back to bite Microsoft hard.
2008-04-10 10:34 amdeathshadow
Being that flippant with other people’s security is a terrible display of weakness and I hope it comes back to bite Microsoft hard.
I don’t think ‘flippant’ is quite fair or even accurate here – though typical of people not seeing the big picture.
EVERY time Microsoft even wants to THINK about changing something, they HAVE to keep backwards compatability in mind because at the end of the day they answer more to their BUSINESS clients than they do Joe sixpack. For all the talk of them ‘raping’ Joe sixpack and his home machine, the REAL money for Microsoft comes from it’s business customers – many of whom are tied to poorly written in-house crapplets. No matter that they are garbage script kiddy visual basic rubbish, you break those and who are they going to blame? Microsoft – even when much of the fault lies with piss poor coding habits and outdated methodology. Look at EVERY time Microsoft tries to fix ANYTHING, they have to nix it or live with that many businesses simply won’t install the upgrade until it’s shoved down their throats.
Honestly, Microsoft cannot AFFORD to care about the users who know better as they likely will move on to greener pastures like Firefox or Opera… It’s impractical to take the time to deal with Joe user who sees nothing wrong with continuing to try to use IE6 (lord knows I’ve tried personally and some people JUST WILL NOT LISTEN) – As our good friend said, the real answer is “Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers!” For every experienced C++ *nix head that can quote you the BASH man pages from memory, you have 20 business programmers churning out financial crapplets in VB. The big money comes from corporate support, and financial software developers come from the big corporations. This means BUSINESS websites and applications take priority – and businesses change at a pace so glacial it makes IE development the past decade look outright speedy. You know business, the thing that PAYS all of us? (… or at least those of us with REAL JOBS, not ‘professional educators’, ‘professional lecturers’ or kids still having life paid for by mommy and daddy – Windows Guy opens wallet to pay the artsy slacker Mac guy AND the back room *nix geek)
It’s only because of their own success that so many developers STILL have their head up their backsides about even thinking about upgrading past XP SP1. With EVERY patch there is endless hubub about shit VB crapplets, ActiveX crapplets and a whole host of other poorly written CRAP (much of which doesn’t even follow the guidelines Microsoft set up for writing applications) being broken, and businesses making a huge stink about it.
LOOK at web applications – back in the days before AJAX or to when flash was a tinkertoy… you had two players – one ran like crap on the hardware of the time and was difficult to deploy (Java) since most users didn’t know what a plugin was, and didn’t like the idea of them – the other (activeX) worked in the browser everyone was using anyways – IE. Let’s be honest, 90% of plugin formats are stillborn so far as the internet goes with ONE exception – Flash. Serously, who the devil uses java to write in-browser applications anymore? You come across a website that needs java to function, don’t you kind of laugh at how pathetic it is?
In particular, it was IE5 that WON the war for Microsoft in the business sector. For all the badmouthing today of IE 5 when it comes to web standards, at the time of it’s release it was so far ahead of the competition in that department (since NS5/Gromit was coat-hangered and NS6 often the butt of a joke akin to Duke Nukem Whenever) that comparing IE5.x to NS4 is a bit like comparing Opera 9.5 today to IE5. Established businesses built their in-house crapplets around that – much of what is considered a security hole today was a ‘wonderful new freedom of programming’ when it was released – Which is why many websites today STILL require IE for the simplest of functionality that could be done EASIER today cross-browser, but nobody wants to change what’s worked just FINE for the past DECADE just because there’s a new ‘flavor of the week’ browser.
… and that’s before we even TALK about the commercial applications that are tied to Trident (the rendering engine that drives IE) – Antivirus software from Trend and Symantec, AIM 6, Google Talk (It’s a hoot that one of the companies endorsing Firefox the loudest has many of it’s applets tied to Trident – there’s a reason it’s windows only), Steam, etc, etc… You actually FIX the browser up to standards compliance and fix all those security holes, you run the risk of breaking ALL of those applications!
Microsoft did this amazing thing all the way back to IE4 – they made the entire browser API available to programmers with frameworks available even in competitors compilers (see the tBrowser object under TPW/Delpi) All this YEARS before Netscape even thought of releasing the source to their browser to the public (and years before the majority of programmers outside University or the server backroom had heard of the term Open Source, much less took that naive idealistic rheotoric seriously). While letting programmers call the API for rendering is NOT in the same league as releasing the whole source, it shows that they were in fact more open than Netscape was at the time. (I can remember many developers of the age badmouthing Netscape for their closed practices back then the way people talk about Microsoft today) If they had not done so, there would be no Maxthon or Avant browsers, no trident rendering in NS8, no Neptune plugin to run Trident under other browsers like FF or Opera, and frankly I have my doubts AOL (did I just say AOL?) would even have considered open sourcing Gecko if programmers hadn’t already given them the cold shoulder in favor of a browser that DID provide them access.
Hindsight is 20/20, and today the ‘vulnerabilites’ of these technologies are obvious – Look back to 1995-2001 and NOBODY was talking about ANY of this. Funny that, hindsight may indeed be 20/20, but it always amazes me how the masses don’t remember yesterday.
Now, it’s not all rosy and I’m with the crowd that Microsoft has rested on it’s laurels WAY too damned long, and continuing to have to support browsers that still haven’t caught up to decade old specifications is getting really annoying. Continuing to support aging VB crapplets and ActiveX rubbish that wasn’t particularly well written in the first place – But lets at least be honest about how we got where we are today and take into account ALL of the reasons Microsoft makes the decisions it makes.
In other words, “in before the LOLZ MICROSHAFT SUXORS”
… and sorry for the lengthy post, but someone had to say it.
Edited 2008-04-10 10:53 UTC
2008-04-10 2:34 pmTechGeek
Tiem to stop drinking the kool-aid dude. Microsoft is the only one responsible for the security problems they have. HOw can you not know that putting self executing code into your email system is a recipe for disaster? And who actually uses that? Yet do you see Microsoft changing it? That feature alone is behind proabably 3/4 of the virus out there. Or how about the fact that it runs as ROOT? Dont tell me that role based security hasnt existed far longer than Windows. You are right about one thing though, people do bitch when MS changes things. SOmetimes you gotta break a few eggs if you want to make an omlet.
Af for innovation, CSS was developed by the W3C, and even Mosaic had browser extensions for things like video playback and stuff. Unless you are talking about a specific kind of extension…However, IE 7 was the first IE to not contain Mosaic code. So much for innovation.
2008-04-11 12:51 amdeathshadow
Tiem to stop drinking the kool-aid dude. Microsoft is the only one responsible for the security problems they have.
Yes and No. Back when most of this stuff was introduced it was innovative to do so and considered a good thing. As I said, hindsight is 20/20.
HOw can you not know that putting self executing code into your email system is a recipe for disaster?
Simple… nobody had ever tried it before – and it worked great in every other program they had. (remember, most activeX features appeared in Office FIRST). It’s WAY TOO EASY to sit here today and badmouth decisions of a decade ago.
And who actually uses that?
Corporate dimwits using the API for in-house crapplets on their private intranets!
That feature alone is behind proabably 3/4 of the virus out there.
Correct – I’m in full agreement on that – What I’m saying let’s be fair about why we reached the current situation. Developers were jumping up and down for joy when activeX and VBS extensions were introduced for Outlook and IE – We can call it short sighted today, or we can realize that people JUST DIDN’T KNOW. If it was such a horrible thing back then, how did it get such widespread adoption?
Or how about the fact that it runs as ROOT?
There is no ‘root’, it just runs atop a less secure filesystem… Let me ask you this, how many HOME computers before 1997 even had filesystem or OS level execution protection? Sure in the back-room *nix server world you had all this stuff (as an old AIX and Xenix guy, I was there) – but Apple didn’t have it, DOS based machines didn’t have it, CP/M didn’t have it, Sinclair, Commodore, Atari and Tandy certainly didn’t… and if you’ve been online from the 150 baud days, you know this quite well. I’m talking about the commercial companies that drove the REAL computer revolution of years past that brought the home computer to the masses – Not the FSF fanboys trying desparately to call their stuff a revolution when the old-timer *nix geeks got left behind, and the kids dipping into the FSF kool-aid who don’t know any of this since most likely they were still suckling at the teat when this stuff happened.
Dont tell me that role based security hasnt existed far longer than Windows.
It did – with back room *nix server geeks. As I said above prior to the mid 90’s you can’t name me one mainstream home computer that had anything approaching it.
You are right about one thing though, people do bitch when MS changes things. SOmetimes you gotta break a few eggs if you want to make an omlet.
Except as a business, Microsoft has to answer to it’s customers. Look at people bitching about Vista won’t run all of their XP games, or how people bitched about 2K & XP not running all the Win9x games, or how 95 didn’t run all of the Win3.1 games. We’re talking a handful of non-essential programs in each case, and Microsoft bent over backwards to maintain as much compatability as they could – yet people talk about it like the sky is falling… Imagine if you made ALL applications people built using you own tools, most of them business based and not games – not run. They did exactly what you suggest, and you’d have companies like Symantec suing them for pretty much breaking all of their applications and how do you think the EU would react?
Af for innovation, CSS was developed by the W3C
Which Microsoft is a active member of… and at the time IE was praised for following W3C guidelines MORE than Netscape was… In fact, Netscape was repeatedly badmouthed for introducing and implementing techniques that did NOT follow the W3C spec, which is why Gromit was aborted, and Netscape was effectively declared dead at the end of ’98 until AOL revived it with NS6 two years later… and it would still be close to SIX YEARS before the buggy, unstable and effectively unusable Gecko would become the useful entity we know it as today. Prior to 2004, how many web developers had even HEARD of the W3C, “Web Standards”, markup/CSS validation, or even cross-browser development?
and even Mosaic had browser extensions for things like video playback and stuff.
You mean plugins. I’m talking extensions in the sense of firefox extensions – or as they call them today, add-ons – which change or add functionality to the browers INTERFACE.
For all the talk of firefox extensions/add-ons as an innovation in browser usability, how exactly are these ANY DIFFERENT from what ActiveX introduced with IE 4 over a decade ago? The only difference is that you have to choose to start the installation, instead of answering a yes or no question that everyone usually answers wrong. Mind you, that’s a BIG difference and why they are LESS of a security risk, but really under the hood aren’t they pretty much the same damned thing?
However, IE 7 was the first IE to not contain Mosaic code. So much for innovation.
WRONG, Trident was introduced with IE4, and was the first break from the original Mosiac renderer… The second break being Tasman which was used to drive IE 5.x for the Mac. (yes, the mac versions of IE 5.x does not use the same renderer as the windows versions)
Nice try though.
Edited 2008-04-11 01:09 UTC
2008-04-10 7:24 amDarkelve
Well, before they pull the plug, I hope they first deliver a decent operating system to follow it up (i.e. not Vista).
But not on Windows XP, despite DEP being available.
Here starts obsolescence!