Enhanced Protected Mode

Every release of Internet Explorer includes new security enhancements to help keep you safe as you browse the Internet. The new Enhanced Protected Mode in Internet Explorer 10 helps keep your data safe even if an attacker has exploited a vulnerability in the browser or one of its add-ons.

There is no single thing that can keep you secure by itself, so we pursue multiple strategies, including:

Protection from socially-engineered attacks

There are a variety of miscreants that want to steal your personal information or take over your computer by impersonating Web sites that you trust. SmartScreen Filter provides the best protection available against malware attacks and phishing. In Windows 8, this protection was added to the Windows Shell, to help keep you safe from malware no matter how it was downloaded.

Protection from attacks designed to exploit vulnerabilities in Web sites

“Good” Web sites can have security vulnerabilities that can allow evil Web sites to steal your data or perform actions as if they were you. We protect you with the XSS Filter, which automatically prevents certain types of attacks, and make it easier for Web sites to secure themselves with Declarative Security features, like IE10’s new support for the HTML5 Sandbox.

Protection against attacks designed to exploit the browser or operating system

Automatic updating ensures that you have the latest updates installed. This protects you against security issues that have been fixed. IE9 added memory protection features to make it harder to exploit certain types of vulnerabilities and we enhanced these features in IE10. We also added a new layer of protection in IE10 called Enhanced Protected Mode.

Enhanced Protected Mode

Protected Mode, which was added in IE7 for Windows Vista, is defense in depth feature that helps prevent attackers from installing software or modifying system settings if they manage to run exploit code. It is an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. For example, your browser doesn’t usually need to modify system settings or write to your Documents folder. Protected Mode is based on the principle of least privilege — by reducing the capabilities that Internet Explorer has, the capabilities available to exploit code are reduced as well.

“Enhanced” Protected Mode takes this concept further by restricting additional capabilities. Below is a list of some of the new ways that Enhanced Protected Mode helps keep you safe:

64-bit processes

Most PCs shipped in the last few years have 64-bit CPUs, and many have a 64-bit version of Windows installed. “64-bit” is usually thought of as a way to extend the amount of memory that a program on your computer can use: because 64-bit processors use 64-bit memory addresses instead of 32-bit ones, a program can “address,” or use, more memory if it’s available.

A 32-bit number is large – it’s a little more than 4 billion. A 64-bit address is much larger number – roughly 18 pentillion and change (18,446,744,073,709,551,616). Not only does a 64-bit number let you address more memory, it also makes existing memory protection features such as ASLR (Address Space Layout Randomization) much more effective. Heap spray attacks, which are used by attackers to plant malicious code at predictable locations, become much more difficult because it isn’t practical to “fill up” a 64-bit address space – you’ll run out of memory and disk space long before any sizable fraction of the address space is sprayed.

Protecting your personal information

When you run a program, it has access to anything on the computer that you have access to, including your personal documents. Enhanced Protected Mode restricts Internet Explorer from locations that contain your personal information until you grant permission to it. This helps prevent exploit code from accessing your personal information without your permission.

For example, consider Web-based email. If you want to attach a file from your Documents folder to the email, then Internet Explorer needs permission to access the file and upload it to your email provider. With Enhanced Protected Mode, a “broker process” will grant Internet Explorer temporary access to the file only if you actually click on “Open” on the file upload dialog:

Screen shot showing attaching a file from your Documents folder to an email using a Web-based email application

Notice that there are no extra prompts. Brokering is done automatically after you choose to open a file. This is like providing a single safe deposit box to Internet Explorer when requested, instead of giving access to the entire safe all of the time.

Protecting your corporate assets

Most corporate networks, or “intranets,” contain valuable information that must be protected from attackers. Enhanced Protected Mode restricts an exploit’s ability to access corporate network resources in three ways. First, Internet tab processes, which is where untrusted Internet pages load, do not have access to a user’s domain credentials. Second, they cannot operate as local webservers, which makes it more difficult to impersonate an Intranet site. Third, Internet tabs cannot make connections to intranet servers.

Default Settings and Compatibility

Metro style Internet Explorer always runs with Enhanced Protected Mode enabled – there isn’t anything that you need to configure – just browse. Because Metro style Internet Explorer offers plug-in free browsing, the compatibility impact of this security feature is minimal.

Many add-ons, such as Adobe Flash and certain toolbars are not yet compatible with Enhanced Protected Mode. Some Web sites still require Adobe Flash in order to work, and some users enjoy the additional functionality offered by some toolbars. In Windows 8 Beta, Enhanced Protected Mode can be enabled in the desktop under Internet Options->Advanced:

Screen shot of the Advanced tab of the Internet Options dialog showing the new “Enable Enhanced Protected Mode” option.

After you enable Enhanced Protected Mode, incompatible add-ons will automatically be disabled. If you encounter a site that needs an add-on such as Flash in order to work, you can disable Enhanced Protected Mode just for that particular Web site.

Notification message which reads “This webpage wants to run 'Adobe Flash Player 10.3 d162'. If you trust this site, you can disable Enhanced Protected Mode for this site to run the control.” The notication bar contains one button labeled “Disable”.

This allows you to continue using the site, and have Enhanced Protected Mode enabled on the rest of the Internet. Keep in mind that you should only do this if you know and trust the Web site.

Of course, if you prefer to browse without add-ons, you can always turn on ActiveX Filtering, which will prevent you from seeing this prompt.

Summary

Defense-in-depth is an area of continual investment for the Windows team. It’s a widely-applied principle in the real world as well. Safety deposit boxes have locks on them. But they are also kept inside of a locked room, inside of a bank, which is locked and is armed with an advanced security system. Enhanced Protected Mode is another layer of protection that helps protect your data from malicious attackers.

—Andy Zeigler, Senior Program Manager, Internet Explorer


IEBlog