IE10 Enhanced Protection Mode

I'm using an HP laptop from 2007 with Windows 8, and my System information says "32-bit operating system, x64-based processor". I read that IE10 Enhanced Protection Mode improves security by running processes as 64-bit, if I have that right. Will this improve browsing security on my 32-bit OS laptop, or would I be safer with Google Chrome with AdBlock Plus and BitDefender Traffic Light extensions? I'm using Avast free antivirus and Windows firewall. I also use Windows 8 as desktop instead of Metro UI. Thanks!

 

EPM will do nothing on a 32-bit system.

 

Your hardware may be 64 bit, but if your OS is 32 bit, it can't run 64 bit processes.

 

To get the full benefits of X64, upgrade to x64 Windows 7.

 

On 32-bit Windows 7, EPM will do nothing. However, on 32-bit Win8, EPM runs each tab process in its own AppContainer for higher security. On 32-bit Win8, they just can't use High-Entropy ASLR.

Going back to the original question, if you're interested in tweaking IE10 security on Win8, then enable Enhanced Protected mode in the Advanced tab of the Internet Options panel for the "Desktop-style" IE10, then skip over to the Security tab and make sure you've checked the checkbox for Protected Mode on all four Zones (Internet, Intranet, Trusted Sites, and of course Restricted). Now your tabs will be running in AppContainers. More info on all that: http://blogs.msdn.com/b/ieinternals...rk-security-addons-cookies-metro-desktop.aspx

I'd also suggest enabling ActiveX Filtering, which is done by clicking the gear icon > Safety > ActiveX Filtering, and using Microsoft EMET. According to security researcher Didier Stevens, EMET's ASLR implementation is better than the baseline Windows ALSR, since it changes base addresses every time a process is started (as opposed to once per reboot). That info may be somewhat dated by now, but the bottom line is that EMET is a keeper.

 

Thanks for all that info, mechBgon. I set up my IE10 as you recommended, including Active-X and EMET. One fringe benefit I noted with EPM is that it apparently blocks ads, which is helpful since I couldn't install AdBlock Plus onto IE10. With EPM/Active-X/EMET. do you believe IE10 provides comparable security to Google Chrome & Firefox on Windows 8?

 

It might even be the ActiveX Filtering that's reducing the ads, since it switches Flash Player to disabled-by-default and you then enable it for sites where you want it (that's the blue circle-with-a-slash up in the address bar, click it if you're not seeing the intended content and you can opt that site in).

In the big picture, FireFox has an underlying disadvantage: it runs with the user's own Integrity Level and no sandbox, so if/when it does get compromised, the bad guys have the same clout that you have. Chrome runs at low integrity with a sandbox, IE10 has low integrity and Protected Mode (and AppContainer on Win8 ). Some will point out that FF has extra security tweakability in the form of NoScript, and that does have value if you don't mind the upkeep.

Beyond that, I perceive IE10 and Chrome competing about equally. Both of their makers have their game face on when it comes to security. With either one, the next thing I'd look at is keeping my add-ons/extensions up-to-date, since they're so heavily targeted in real life:

1. unless you absolutely must have Oracle Java installed, uninstall it and avoid it perpetually. If you do need it, then make sure it can only function for sites where you absolutely do need it. One technique is to have one Java-enabled browser and use it ONLY for the Java-driven sites that you absolutely must use, and test to be sure Java's disabled in your other browser(s). If you're using Win8 Professional then I can also go into detail on how to limit Java using the Local Group Policy.

2. try out the Secunia PSI utility, which checks to see if your software (including browser add-ons) needs security patches, and shows you where to download them from.

3. enable add-ons only for sites where you definitely want them to run. Using ActiveX Filtering is one example of this. EPM on Win8 will also severely restrict what add-ons can even try to run, since many aren't AppContainer-compatible by nature and get automatically blocked. In that situation, you see a prompt to allow you to choose Disabled if you want to fall back on "regular" Protected Mode (32-bit tab, no AppContainer) to use the add-on. A real-world example for me: the ActiveX control I use to view our security cameras at work, which requires dropping out of EPM to view the video feed.

4. set your User Account Control slider to "Always Notify." This guards against a known type of privilege-escalation exploit used by certain nasty malware in the infection routine, e.g. ZeroAccess rootkits.

edit: 5. PDF readers are also exploited in real life via browsers and other methods. If you find the built-in Win8 Reader gets the job done for you, uninstall your other PDF readers and just use that, because it runs in an AppContainer and doesn't have tons of extra features to abuse. Next-best: Adobe Reader 11 in a security-hardened form, since it has a good sandbox and the abused features can be turned off. Some tips on that here: http://security.thejoshmeister.com/2010/05/7-easy-steps-to-increase-adobe-reader.html



If your laptop happens to have a fingerprint reader, also consider using biometric software to make it easier to use super-strong passwords and avoid password re-use at multiple websites. Post back if that's the case and I can go into more detail.

 

I believe I uninstalled Java already; if it doesn't show under Start -> Programs, can I assume I'm OK there? I've had Secunia PSI for a while, so I should be good on SW updates. My laptop doesn't have a fingerprint reader, but I've been using KeePass for passwords instead.
Regarding EMET, it looks like there's more than one release around. Mine is 3.0, but do I need to keep an eye out for 4.0? iexplore currently shows under the "DEP" and "Running EMET" columns. Thanks again for taking the time to help!

 

That sounds good. As a confirmation, you could try a Java-driven site like www.time.gov to confirm there's no Java functionality.

EMET 4.0 would be worthwhile just on the ease-of-use improvements alone. For example, you can start up all your browsers, media players, PDF readers, music apps, instant-messaging programs, email programs and anything else that might be at risk, and then select them from EMET's "running processes" list (hold down CTRL while clicking to select multiple programs at once), then right-click them and choose Configure Apps to add them to the protected list. That's much easier than hunting them down the old way.

EMET 4.0 also has some desirable improvements in other areas. So yeah, I think that's the one to get. The beta version is working well, if you don't want to wait for the final version.