Windows 8’s Internet Explorer 10 with Enhanced Protected Mode
Meant to offer better protection against web attacks
One of the security measures that Microsoft has included in Internet Explorer 10 in the upcoming Windows 8 was an Enhanced Protected Mode, which is enabled by default when browser runs in Metro-style.This security enhancement is meant to ensure that users’ data remains safe even at times when an attacker exploits a vulnerability in the browser.
However, things are a bit more complicated than that, and Microsoft notes that they are pursuing multiple strategies to ensure increased security in Internet Explorer 10.
Thus, the company has designed the browser to offer better protection from socially engineered attacks. The SmartScreen Filter was designed to protect against malware attacks and phishing, and the same protection is included in the Windows Shell as well.
IE10 should also protect users from malware attacks that exploit vulnerabilities in websites, Andy Zeigler, senior program manager, Internet Explorer, notes in a blog post.
"We protect you with the XSS Filter, which automatically prevents certain types of attacks, and make it easier for Web sites to secure themselves with Declarative Security features, like IE10’s new support for the HTML5 Sandbox,” he states.
Additionally, there are the constant updates that Microsoft is delivering to users to patch various vulnerabilities that might have been found in the Windows client or in IE.
And there is also the said Enhanced Protected Mode, which is the successor of a Protected Mode introduced in Internet Explorer 7 in Windows Vista.
The Protected Mode “is an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use,” Andy Zeigler explains.
“For example, your browser doesn’t usually need to modify system settings or write to your Documents folder. Protected Mode is based on the principle of least privilege -- by reducing the capabilities that Internet Explorer has, the capabilities available to exploit code are reduced as well.”
The Enhanced Protected Mode brings along some new capabilities, such as 64-bit processes, restricted access to personal documents on the PC, and more.
When it comes to 64-bit memory addresses, protection features are more effective than on 32-bit ones, making heap spray attacks, usually used for planting malicious code, much more difficult.
Moreover, when the Enhanced Protected Mode is active in IE, the browser does not have access to personal documents and the like unless the user allows it to.
“For example, consider Web-based email. If you want to attach a file from your Documents folder to the email, then Internet Explorer needs permission to access the file and upload it to your email provider,” the blog post explains.
“With Enhanced Protected Mode, a “broker process” will grant Internet Explorer temporary access to the file only if you actually click on “Open” on the file upload dialog.”
This security feature also limits the access to corporate network resources by blocking Internet tab processes from accessing user’s credentials and by preventing them from operating as local webservers. Additionally, Internet tabs cannot make connections to intranet servers.
Metro style Internet Explorer will run with Enhanced Protected Mode enabled at all times. For the desktop mode, users will have to enable it from Internet Options > advanced. Do note that incompatible add-ons will automatically be disabled. However, they can be enabled for specific websites when needed.