Microsoft beefs up memory protections in IE 10

Microsoft beefs up memory protections in IE 10

Summary: Microsoft's newest Internet Explorer 10 browser contains two new anti-exploit mitigations -- High Entropy Address Space Layout Randomization (HEASLR) and ForceASLR.

TOPICS: Browser, Microsoft

Microsoft has boosted the memory protections in its flagship web browser as part of an effort to make it tougher for hackers to exploit security vulnerabilities.

Microsoft's newest Internet Explorer 10 browser, currently available as a consumer preview, contains two new anti-exploit mitigations --  High Entropy Address Space Layout Randomization (HEASLR) and ForceASLR -- and significant improvements to existing memory protection technologies.

According to Forbes Higman, Security Program Manager on the IE team, the new and enhanced mitigations improvements "will increase the difficulty and development cost of exploits, making life harder for the bad guys."

Mary Jo Foley: What's new in IE 10 in the Windows 8 Consumer Preview ]

Here's a brief explanation of the new memory protections in IE 10:follow Ryan Naraine on twitter

  • High Entropy Address Space Layout Randomization (HEASLR) takes advantage of the increase in 64bit address space and assigns more bits to entropy. This has the effect of drastically increasing the number of potential addresses that may be assigned to a 64bit process. All 64bit processes can opt-in to the increased entropy made available by HEASLR. Processes can opt-in either at link time (/HIGHENTROPYVA) or at load time via a new Image File Execution Option. By default, the Metro style browser runs in 64bit mode on 64bit computers, providing a much larger address space and thus more random memory layout.
  • ForceASLR is arguably the most important change to ASLR in Windows 8. ForceASLR is a new loader option used by Internet Explorer 10 to instruct the operating system to randomize the location of all modules loaded by the browser, even if a given module was not compiled with the /DYNAMICBASE flag. The ForceASLR protection was added to the Windows 8 kernel, and the feature is now available as an update to Windows 7 that will be installed when Internet Explorer 10 is installed on that platform. To help ensure compatibility with this feature, and to provide memory-randomization protection to older Internet Explorer versions that don’t support ForceASLR, we continue to recommend that add-on developers make use of the /DYNAMICBASE flag.

[ SEE: Ten little things to secure your online presence ]

Microsoft believes these protection technologies can provide a front line of defense to block malicious attackers.

"These technologies exist to make exploiting vulnerabilities more difficult, less reliable, and in some cases impossible. Memory protections aim to safely terminate a browser process under attack before a vulnerability can be successfully exploited to run the attacker’s code. In many cases, protections allow vendors time to produce and distribute a fix before a vulnerability can be exploited to cause damage," Higman said.


Topics: Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ForceASLR: This probably the smartest move I've seen thus far.

    Memory segment offsets change on each load of modules? But forced with older dll's? I am not sure that will work.
    Dietrich T. Schmitz *Your
  • Innovative High Entropy Address Space Layout Randomization

    This is next gen stuff. Good to see MS innovate this way. Let's see how well add-ons vendors implement the new technology.
    Your Non Advocate
    • I wouldn't classify it as next gen stuff.

      The first is an change to ALSR. The second is forcing the use of a ASLR (many people don't realize how many components of a program don't opt in to ASLR).
      • And what's gonna happen...

        ...when they find out some of their legitimate programs won't run?

        We can venture to guess...
      • It tool Apple close to a decade to partially implement ASLR

        And it still is not quite right.
        Your Non Advocate
    • Couldn't MS implement HEASLR with just a native 64 bit browser?

      [quote]High Entropy Address Space Layout Randomization (HEASLR) takes advantage of the increase in 64bit address space and assigns more bits to entropy.[/quote]A native 64 bit application on a 64 bit OS can do this too. So is this just a fancy way of saying that the 64 bit version of IE10 will be fit to use? And if not, why not?
    • Except it's not..

      It's not innovative. The Linux kernel has been doing this for ages now (full ASLR on 64 bit platforms with maximum entropy). ASLR was first developed by the PaX team for Linux back in 2001. Microsoft and Apple only came along later and "borrowed" the idea from open-source developers.

      HEASLR is just Microsoft's way of saying "Our old ASLR was weak and we are just now going to make it use the full address space of the 64 bit CPU."
  • What???s new in IE10 ????????

    what about this :
    video 1 :
    our product :
  • Wow!

    This is the kind of INNOVATION that one would come to expect from the vast INTELLECTUAL property that Micr0$uck$ owns. This is enough to make me WANT LoseDoze 7 so I can take advantage of the most advanced, most secure Operating System (O/S) ever.
  • Fascinating...

    So the Application which is in this case the webbrowser is going to do the memory protection that should be done by the OS in the first place?

    This is really upside down.. and i was still thinking how brilliant their reliability monitor was.. only possible at Microsoft.. tssk, tssk.. Derp!
    • Really?

      How is it "upside down"? I get the impression this is both an OS <i>and</i> a browser based idea. It seems to me that a program that supports all the idiocy a web browser has to (the OS is not running Java, the browser is) must, perforce, do a lot of this for the sub programs that <i>it</i> is handling. The OS is where the API for those features start and supports IE10 and that, in turn, supports the scheme at the sub program level.
      • Well, that's exactly where the hurting lies

        A browser is to browse websites. Not to install malicious software from some malicious site. Java and ActiveX functionality is just a bad idea. They are mainly used legit for website based games, which suck really bad compared to real games.
    • You missread the article

      IE 10 x64 doesn't actually implement HEASLR, its Windows 8 that does.
      IE 10 x64 only tells Windows "go ahead and use HEASLR, it won't confuse me".