MS disables sandboxing for Internet Explorer 11 by default.
Recently we wrote about exploit protection features for Internet Explorer users, which Microsoft introduced with the release of the latest browser versions - IE10, IE11 for Windows 7 x64, 8, 8.1. The technology that implements these features is called sandboxing and implemented in Internet Explorer, starting with the tenth version (IE10 +), as “Enhanced Protected Mode, EPM). We also indicated that EPM works differently for Windows 7 x64 and Windows 8 / 8.1. In the case of Windows 7 x64, EPM forces the browser to use 64-bit processes to work its tabs, which helps protect against heap spraying , which is the basic technology for circumventing the limitations imposed by ASLR (in the case of 64-bit address space, ASLR has more options memory allocation, moreover, such an impressive amount of virtual memory in itself greatly complicates the spray).
For IE10 + on Windows 8 / 8.1, EPM is implemented as full-fledged sandboxing, which forces the browser to launch its tabs in AppContainer mode (which is essentially a continuation of the restrictions imposed by Integrity Level ). For these operating systems, EPM was enabled by default, unlike Windows 7, for which it had to be turned on manually. It is known that many users use the browser with default settings and do not resort to changing them, so the EPM included in this form was very good news, especially for users of the newest Windows 8.1, for which IE11 is distributed by default. However, a recent update for Internet Explorer MS13-088 , which was released as part of the November patch tuesday , disables the EPM setting in IE for Windows 8 / 8.1 users by default.
')
Thus, with the update installed, when you reset the advanced settings of IE to the default level, the user gets the disabled EPM mode.
Fig. Advanced IE11 settings in default mode on Windows 8.1. EPM is off.
We, in turn, recommend that users check the setting of their browser if you are using IE, and enable this setting if it is turned off. Also note that despite the active EPM / AppContainer mode of Windows 8 / 8.1, IE runs its tabs as 32-bit processes on the x64 system. In order to enable full support for IE protection, you must manually tick the “Enable 64-bit processes for enhanced protected mode” checkbox.
For IE10 + on Windows 8 / 8.1, EPM is implemented as full-fledged sandboxing, which forces the browser to launch its tabs in AppContainer mode (which is essentially a continuation of the restrictions imposed by Integrity Level ). For these operating systems, EPM was enabled by default, unlike Windows 7, for which it had to be turned on manually. It is known that many users use the browser with default settings and do not resort to changing them, so the EPM included in this form was very good news, especially for users of the newest Windows 8.1, for which IE11 is distributed by default. However, a recent update for Internet Explorer MS13-088 , which was released as part of the November patch tuesday , disables the EPM setting in IE for Windows 8 / 8.1 users by default.
')
Thus, with the update installed, when you reset the advanced settings of IE to the default level, the user gets the disabled EPM mode.
Fig. Advanced IE11 settings in default mode on Windows 8.1. EPM is off.
We, in turn, recommend that users check the setting of their browser if you are using IE, and enable this setting if it is turned off. Also note that despite the active EPM / AppContainer mode of Windows 8 / 8.1, IE runs its tabs as 32-bit processes on the x64 system. In order to enable full support for IE protection, you must manually tick the “Enable 64-bit processes for enhanced protected mode” checkbox.
Source: https://habr.com/ru/post/204084/
All Articles