Leveraging Data Execution Prevention (DEP)
The recent IE attacks have show again that the current technology built in Windows Vista and Windows 7 could at least help to mitigate the attacks. One of these technologies which could be used more broadly is Data Execution Prevention (DEP). Here is how to switch DEP on (it is fairly well hidden).
- First, enable it in your BIOS. It might have different names in your system. Basically it enables the use of the NX flag in the processor. Most systems I know of today, have switched it on by default.
- Boot your OS and go to the System settings (right-click on Computer – Properties).
- On the following screen, choose System Protection
- In the System Properties dialogue which follows, you have to select the Advanced tab and there in Performance click on Settings as shown here:
![original[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_thumb.png "original[1]")
- And then choose Data Execution Prevention. The default is on Turn on DEP for essential Windows programs and services only which is good enough for most environments. I increased the security of my machine, but I have to manage it as well as I have to exclude (or de-install) applications which do not comply:
![original[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_thumb_1.png "original[1]")
![original[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D.png "original[1]")
![original[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_1.png "original[1]")
Now, this is on an OS-level for your applications in general. In IE, it is in the Internet Options:
![original[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/rhalbheer/WindowsLiveWriter/InternetExplorerAdvisoryVulnerabilityUse_79CB/original%5B1%5D_2.png "original[1]")
This option is switched on by default in Internet Explorer 8 (in my case re-enforced through Group Policies and therefore gray). This might have an impact on usability as certain poorly written plug-ins will crash – something I can definitely live with. On the IE blogs, there is a post describing DEP in IE8: IE8 Security Part I: DEP/NX Memory Protection
Just use it!
Roger