1. Managing new Internet Explorer 10 security settings
Internet Explorer 10 includes a number of new security features
designed to make the browsing experience more secure for Windows 8
users. Because web browsing is a common vector by which malware is
introduced into an organization, new security features can help these
organizations remain more secure. Three new security features are
included in Internet Explorer 10.
Understanding enhanced memory protection
Through the use of creative attacks, attackers have discovered
commonalities and patterns in system memory that make it possible to
exploit them easily. Over time, Internet Explorer has added features to
protect against this kind of activity. Two major memory-protection
features have been added to Internet Explorer 10.
-
High Entropy Address Space Layout Randomization (HEASLR)
Technically, this feature is part of Windows 8, but Internet Explorer
10 uses it fully for security gains. This feature employs the 64-bit
nature of processes to increase the entropy of physical RAM on a
computer. The result: attackers cannot easily predict the locations at
which specific code elements will reside, making it more difficult to
determine a pattern.
-
ForceASLR Not all
Internet Explorer modules and add-ons were compiled using the option
that allows the module or add-on code to be randomized in memory for
maximum protection against predictive attacks. Forced Address
Space Layout Randomization (ASLR) is a new feature in Windows 8 that
Internet Explorer 10 uses to instruct the system to randomize the
memory location of all modules and add-ons.
Understanding the HTML5 sandbox attribute
Inline Frames (IFrames)
are a method by which HTML pages can be embedded inside other HTML
pages. IFrames are often used to embed advertising content into
webpages. The content in an IFrame doesn’t have to come from the site
that someone is browsing. In fact, it’s common for the content in an
IFrame to be sourced from a different site. IFrames have been used to
distribute code that redirects unsuspecting people to malicious
websites.
Internet Explorer 10 can help protect users against a number of
IFrame-related exploits but only when web designers specifically
include code that enables this new feature. When this feature, called
the HTML5 sandbox attribute,
is enabled, new security restrictions are put into place for IFrames
that contain untrusted content. Among other restrictions, the HTML5
sandbox attribute has the following primary restrictions:
-
When content is in this sandbox, it cannot open new browser windows.
-
Links inside the sandboxed content cannot open in new windows.
-
Sandboxed content cannot submit form data.
In other words, information inside the sandbox cannot be manipulated
in the same way as information outside. The sandbox is intended to be a
restricted area.
As an administrator, you don’t control implementation of this
feature directly. Rather, it works only when web developers include
special code in their websites that turns this feature on.
Using Enhanced Protected Mode
Internet Explorer Protected Mode was originally introduced in Internet Explorer 7 and implements a policy based on the principle of least
privilege. Under this principle, an application such as Internet
Explorer is allowed access only to system elements and locations that
are necessary for the application to complete its task. This limits the
ability to exploit Internet Explorer to perform malicious activity on a
host.
Internet Explorer 10 in Windows 8 adds restrictions to protect host systems further. These additional restrictions include:
-
64-bit processes
For systems that support running 64-bit processes, Internet Explorer 10
uses 64-bit processes for many operations. 64-bit processes carry much
larger memory address spaces. The huge memory space provided by 64-bit
address spaces makes it more difficult for attacks against process
memory to be successful. Touch-optimized Internet Explorer
automatically runs in 64-bit mode on 64-bit computers to take advantage
of this enhancement. One reason that this variation of Internet
Explorer can easily run in a 64-bit process is this variation’s
inability to run add-ons in Internet Explorer. With older versions of
Internet Explorer, general guidance recommended the use of the 32-bit
edition, even on 64-bit machines, due to add-on compatibility issues.
-
Reduced execution context
When you run a program on your computer, that program runs in the
context of your user account and has access to all the same things that
you do, including your personal files. With Enhanced
Protected Mode, Internet Explorer must request your permission before
it can access files from locations that contain your personal
information.
The Enhanced Protected Mode in Internet Explorer 10 is not enabled by default, as shown in Figure 1, in which there is no check box next to Enable Enhanced Protected Mode. To enable this option, complete the following steps:
-
Open Internet Explorer on the desktop, and then press Alt+T. Choose
Internet Options from the menu or open it from Control Panel.
-
Select the Advanced tab.
-
From the Advanced tab, scroll down until you see Enable Enhanced Protected Mode.
-
Select the check box next to that option and click or tap OK.
You must restart Internet Explorer for Enhanced Protected Mode to take effect.
