Welcome to the first in a series of technical blog postings about some of the advanced features available to you through UniBrows. My name is Christopher Vaughan, and I’m the Director of Systems Engineering here at Browsium. The goal of this series of technical blog postings is to share some insight into the variety, purpose for and usage of some of the advanced options available to you through UniBrows.
Since our initial release of UniBrows 1.0 back in March of this year, we’ve been updating the product every few weeks to incorporate changes to help make our customers web-based applications work better. This often includes the introduction of new options to toggle on or off in a UniBrows Profile, allowing applications that need certain behaviors to take advantage of them, while not interfering with those that don’t.
Since our 1.0 release, we’ve offered an option in our Profiles to turn Windows’ DEP/NX security feature on or off per Profile. In order to go in depth as to why you might do this, it’s appropriate to start with the question: just what is DEP/NX?
What is DEP/NX?
At a high level, DEP and NX are hardware-level security improvements created out of the security crisis of the early 2000’s, the same crisis that produced Windows XP Service Pack 2 (I remember this time well; I worked at Microsoft during those years). Essentially, DEP & NX help prevent rogue/malicious/hacked software from running data in memory as an executable. It’s a standard hacker attack vector: load data into memory on the machine, and then trick Windows to ‘run’ the memory they’ve loaded instead of a real program. With DEP/NX, anything loaded into memory is marked as either an executable or data, and if an attempt is made to run memory marked as data, the DEP/NX functionality forces the app to crash – better to crash and close than to allow a rogue program access to your system! DEP/NX are enabled at the hardware level (although Windows makes an attempt to emulate DEP/NX in software if you’re running on old hardware that doesn’t support DEP/NX). Other modern operating systems like Linux and Mac OS also support DEP/NX.
DEP/NX support is a good thing: it helps limit hacker attack vectors and reduces the risk that the bad guys can get arbitrary software to run on your computer. DEP/NX is part of Microsoft’s broad defense-in-depth strategy to mitigate the threat of attack (alongside technologies such as ASLR, SafeSEH and Enhanced GS).
DEP and NX are useful tools in the fight for security, but there’s a problem: benign applications (or browser add-ons including toolbars and ActiveX controls) written before the introduction of DEP/NX (essentially, written prior to 2004) can inadvertently trip the security feature despite not having any malicious intent. In fact, DEP/NX was first included in Windows XP Service Pack 2 (released in 2004) and Internet Explorer 7 (released in 2006), but was disabled in IE primarily due to incompatibility with older add-ons. Here’s a quote from Microsoft:
Internet Explorer 7 had DEP/NX disabled by default because Microsoft had identified compatibility problems. Essentially, IE7 with DEP/NX enabled failed to play well with browser add-ons that were put together using an outdated variant of the ATL library. (link)
Compatibility or security?
In essence, old add-ons built with a common code library often caused the DEP/NX feature to close legitimate add-ons, which as a result crashed the browser! This left IT with the choice: compatibility or security, which as many of us know is no choice at all. IT could either enable DEP/NX for maximum security, or leave it disabled for maximum compatibility.
It is of course these older versions of web pages and add-ons that UniBrows is designed to help! Many of the appliations and add-ons we see our customers using were written and designed around 10 years ago, well prior to the introduction of DEP/NX.
What’s DEP/NX got to do with UniBrows?
Enter the UniBrows solution: we work with the Windows architecture and allow you to turn DEP/NX off only for the older web applications that don’t play well with this useful security feature. Turn DEP/NX off via the UniBrows Profile, and keep DEP/NX enabled for IE everywhere else! It’s the best of both worlds: maximum compatibility with the old apps you want to run, and maximum security with the open Internet.
For any Profile loaded with UniBrows, there’s a checkbox (circled in red below):
Simply tick this box for any Profile, and DEP/NX will be disabled for that Profile alone, which grants you maximum compatibility with your old applications and add-ons. Corporations running Windows XP SP3, Windows Vista or Windows 7 or later can all take advantage of this option (Windows XP SP2, while it supports DEP/NX in the OS, does not support 3rd party applications such as UniBrows enabling or disabling the functionality programmatically).
Checking this box does not affect add-ons running in your installed browser, meaning you can keep DEP/NX enabled for your users while they browse the Internet at large (keeping them more secure), but when UniBrows loads this custom Profile for your internal web application, DEP/NX is disabled for that site only.
The bottom line: you can keep your organization safer with DEP/NX and UniBrows working together
Remember, UniBrows Profiles are only loaded when your users visit the web sites you direct them to, meaning that your users won’t visit a web site with DEP/NX disabled unless you configure things that way.
Before UniBrows: DEP/NX disabled everywhere 🙁
With UniBrows: DEP/NX enabled everywhere except the sites you require it to be disabled for 🙂
Feature availability: UniBrows version 1.0.0 and later
Read more about DEP/NX
MSDN on DEP/NX: http://msdn.microsoft.com/en-us/library/dd565649(VS.85).aspx
The IE team blogs about DEP/NX crashes: http://blogs.msdn.com/b/ieinternals/archive/2009/10/10/understanding-data-execution-prevention-crashes-in-ie8.aspx
The IE team discusses DEP/NX in IE8: http://blogs.msdn.com/b/ie/archive/2008/04/08/ie8-security-part-i_3a00_-dep-nx-memory-protection.aspx