X
Tech

Hardware DEP saves day again on VML IE exploit

This is the third time in a row that hardware-enforced DEP has preemptively protected me from a zero-day Internet Explorer exploit. The first time I verified this was with the WMF exploit, the second time was a zero-day IE exploit this March. Therefore I highly recommend people enable DEP protection in Windows XP SP2 and Windows Server 2003 SP1 and never buy a CPU without NX or XD capability.
Written by George Ou, Contributor

After some testing on the VML zero-day exploit for Internet Explorer, I have managed to verify that hardware-enforced DEP will prevent the exploit from launching.  IE will simply generate a DEP error asking you if you want to make a DEP exception for Internet Explorer (which you should say NO) and crash Internet Explorer.  Without hardware-enforced DEP, my test machine would have been owned by a ton of Malware from the websites I was testing on.

This is the third time in a row that hardware-enforced DEP has preemptively protected me from a zero-day Internet Explorer exploit.  The first time I verified this was with the WMF exploit, the second time was a zero-day IE exploit this March.  Therefore I highly recommend people enable DEP protection in Windows XP SP2 and Windows Server 2003 SP1 and never buy a CPU without NX or XD capability.  This DEP guide I did earlier this year is still relevant.  It doesn't have the newer CPUs listed but they all have DEP capability except the cheapest Socket A CPUs from AMD.  But even with hardware-enforced DEP enabled, it is still a good idea to implement the workarounds for this VML exploit.

According to this blog (via Alex from Sunbelt BLOG), even software-enforced DEP will mitigate this VML issue.  This was not the case in the WMF zero-day exploit when only hardware-enforced DEP would work which means it isn't worthless in all situations.  So even if you don't have a modern CPU, you should follow this guide and implement DEP.  I'm a bit nervous about software-enforced DEP because Microsoft originally stated that it would work against the WMF exploit and then had to retract that claim.  But it's better than nothing I guess.

Editorial standards