Control ill-behaved apps with DEP in IE

Susan bradley By Susan Bradley

Internet Explorer 8 includes a security feature that shuts down misbehaving applications before they can harm your system.

This capability, known as Data Execution Prevention (DEP), runs by default when IE 8 is installed on XP SP3 and Vista SP1 or later, but it may not always be clear to you why DEP has put the brakes on one of your PC’s applications.

DEP is the best reason I know for updating to Internet Explorer 8 and Vista SP1. For many years, Microsoft has included DEP — which is also called No-Execute (NX) — only in parts of Windows. For example, DEP is available in IE 7 but is off by default to avoid conflicts with old, incompatible programs.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

DEP is now a key part of Vista and Internet Explorer 8. When I try to install older software on newer machines, I must configure Data Execution Prevention to allow the software installer to run with DEP disabled. (See Figure 1.)

Data execution prevention dialog
Figure 1. You can configure Data Execution Prevention to create an exception for an application.

To open the Data Execution Prevention dialog in XP, open Control Panel, choose System, and then select the Advanced tab. Click the Settings button in the Performance section and select the Data Execution Prevention tab. In Vista, choose Performance Information and Tools, click Advanced Tools in the left pane, select Adjust the appearance and performance of Windows, and click the Data Execution Prevention tab.

For instance, when I install QuickBooks 2007 on Windows Server 2008, I have to exclude under the DEP tab the QuickBooks updating tool in order to install it on the server.

Keep in mind that the only reason I’m doing so is because I trust Intuit, the publisher of QuickBooks. If I didn’t change the settings, DEP would prevent me from installing an older version of this software on the newer system.

If I didn’t already trust the vendor, I’d look for valid reasons why DEP was blocking the installation before I took the step of changing any DEP settings. In most instances, good, up-to-date software shouldn’t need to be excluded from DEP.

DEP helps block malware in Internet Explorer

Since IE 7, Microsoft has used DEP to help thwart online attacks in the browser itself. What the company didn’t do until IE 8, though, was to enable DEP by default.

Prior to IE 8, DEP was disabled by default for compatibility reasons, as documented on the IE blog. Many older IE add-ons were built using earlier versions of the Active Template Libraries (ATL). They aren’t compatible with DEP, therefore, and crash when IE loads them.

When DEP is enabled and combined with Address Space Layout Randomization (ASLR), IE’s ability to protect against Web-based attacks improves considerably. In a nutshell, ASLR is designed to make it harder for automatic attacks to occur. You can read more about ASLR in the MSDN blog.

Specifically, ASLR helps prevent exploits both in IE and in any add-ons that are loaded. Even with the new security protections in IE 7 and 8, the browser is still targeted more often by malware authors than other browsers. This has caused security pundits to state, as Wired’s Brian X. Chen does on the Gadget Lab blog, that Apple’s new Snow Leopard operating system is “less secure than Windows, but safer.”

(If you use Snow Leopard, I encourage you to update your system to OS X version 10.6.1. This includes a patch for the insecure Adobe Flash Player that Snow Leopard shipped with, as documented in an Apple security update.)

There are many protections built into Internet Explorer 8 that may be considered just another annoying browser crash when seen in action. (See Figure 2.)

DEP alert in notification area
Figure 2. When DEP prevents bad code from executing in IE, it closes the browser and pops up an alert.

Unfortunately, it’s not always obvious that IE is actually protecting you when in fact it is.

Find the source of DEP-related browser crashes

Some PC support sites, such as the Tech Support Forum, recommend that you disable DEP to prevent it from closing IE whenever an unauthorized memory access is detected. However, once you understand why the browser is shutting down, it becomes clear why disabling DEP is a bad idea.

Generally, DEP errors in IE are due to an add-on, a hardware conflict, or a corrupted IE installation. If DEP continually shuts down IE on your system, find the cause of the failures instead of disabling DEP. For example, there are reports that stealthy toolbars from the Chinese search engine Baidu are the source of many DEP closures.

If DEP is closing IE 8 on a regular basis, first try opening the browser with all add-ons disabled. To do so, click Start, All Programs, Accessories, System Tools, Internet Explorer (No Add-ons).

If the DEP closures stop, this indicates that an add-on is causing the problem. Disable each add-on and then enable them one by one until the crashes return. At that time, you’ve found the culprit.

To review the processes DEP has enabled by default, press Ctrl+Alt+Del and click Start Task Manager. Click the Processes tab, select View, and choose Select Columns. Scroll to the bottom of the resulting dialog box, check the Data Execution Prevention option, and click OK.

UPDATE 2009-09-22: The instructions for viewing the Data Execution Prevention column under Task Manager’s Processes tab apply only to Vista, not to XP.

A new column appears in the Processes window that shows which processes on your PC are natively protected by DEP. The more processes for which DEP is enabled, the better your system is protected from buffer overflows and the other memory-related vulnerabilities DEP shields you from.

If you decide that you must disable DEP, you can easily do so in the 32-bit versions of IE 7 and IE 8.

To find this setting in IE 7, click Tools, Internet Options, Advanced, and scroll to the Security section, as shown in Figure 3. (Press the Alt key if IE’s standard menu isn’t visible.)

In IE 8, first right-click the IE shortcut, select Run as administrator, and then enter the browser’s Advanced options.

In both IE 7 and IE 8, uncheck Enable memory protection to help mitigate online attacks to disable DEP.

DEP setting in ie's advanced options
Figure 3. On 32-bit systems, DEP is enabled by the “Enable memory protection” option, which is fourth from the bottom in this screen shot.

The 64-bit version of IE 8 lacks a DEP option on the Advanced tab. The reason it’s not visible in the 64-bit version of IE is that DEP is enabled automatically and can’t be disabled. If you’re running a 64-bit operating system, you probably want the protections that DEP gives you.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2009-09-17:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.