IE8 DEP/NX in Windows Server 2008, Vista SP1 and Later (Windows 7)

Marking an evolution in terms of security in contrast to its predecessor, Internet Explorer 8, even as early as the first beta, is set up with the "enable memory protection to help mitigate online attacks" option on by default. Memory protections refers to Data Execution Prevention (DEP) or No-Execute (NX) and, according to Microsoft, the feature is valid for Windows Server 2008, Windows Vista SP1 and "later." These unspecified terms could be a reference to the Service Pack 2 updates to both Vista and Windows Server 2008, but they could also point that IE8 will bring to Windows 7, the next version of the Windows operating system.

"DEP/NX helps to foil attacks by preventing code from running in memory that is marked non-executable. DEP/NX, combined with other technologies like Address Space Layout Randomization (ASLR), make it harder for attackers to exploit certain types of memory-related vulnerabilities like buffer overruns. Best of all, the protection applies to both Internet Explorer and the add-ons it loads. No additional user interaction is required to provide this protection, and no new prompts are introduced," stated Eric Lawrence, IE Program Manager.

Internet Explorer 7 had DEP/NX disabled by default because Microsoft had identified compatibility problems. Essentially, IE7 with DEP/NX enabled failed to play well with browser add-ons that were put together using an outdated variant of the ATL library. Starting with version 7.1 SP1, ATL no longer features the problematic dynamically generated code.

The "new DEP/NX APIs have been added to Windows Server 2008 and recent Windows Service Packs to enable use of DEP/NX while retaining compatibility with older ATL versions. These new APIs allow Internet Explorer to opt-in to DEP/NX without causing add-ons built with older versions of ATL to crash," Lawrence added.

Internet Explorer 8 (IE8) Beta 1 is available for download here.