locked
Trying to reply to a post in EMET thread that I started but getting javascript void error RRS feed

  • Question

  • Hi .  I have been trying to reply to a post in the following thread that I started "  EMET_Conf will not open and EMET_notifier never notifies " .  However when I click on the reply button I get a javascript void error and I am unable to post a reply .  This happens in both IE and Firefox browsers .  I have no idea how to get around this problem .  I would really like to reply to the thread I started .  Any help would be much appreciated . Obviously I will not be able to reply to any answers that you provide so perhaps you could suggest another way for me to reply .  Thanks . Machi
    Tuesday, April 30, 2013 12:42 AM

Answers

  • Hi Machi12,

    I am sorry to hear of the difficulties that you are facing in replying to the forum thread that you created on the 28th of April.

    I would first suggest that you check if JavaScript is enabled for your web browser. To do this for Firefox, follow these steps:

    1. Click the Firefox menu (which is colored orange) in the top left corner of the Firefox window.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Firefox_Menu1.png

    2. Click the Options and choose the Options sub-menu.

    3. Next click on the Content icon on the top row of the Options window. Make sure that the Enable JavaScript option is enabled (checked/ticked).

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Firefox_Menu2.png

    For Internet Explorer, follow these steps:

    To enable JavaScript:

    1. From the Tools menu, or the Tools drop-down in the upper right, choose Internet Options.
    2. Click the Security tab.
    3. Click Custom Level button.
    4. Scroll to the "Scripting" section of the list. Click Enable and click OK.
    5. Restart your browser.

    The Scripting option which shows that JavaScript is enabled is pictured below:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_JavaScript.png

    I primarily use IE 10 64 bit on Windows 7 64 bit SP1 to browse and use this forum. In an attempt to re-create the issue you are experiencing I also used Google Chrome Beta v27.0.1453.65 and Firefox 20.0.1. IE 10 and Google Chrome worked without issue. Firefox needed a small setting change as mentioned below (since I have the NoScript add-on installed).

    While creating the above steps, I encountered a very similar issue when trying to reply to an existing forum thread. If you are using the NoScript add-on, please ensure to at least temporarily allow all of the TechNet forum to execute JavaScript. When I temporarily allowed the forum website to do this using NoScript, I could successfully post a reply. Before this, nothing would happen (no error message appeared) when I clicked the reply button (to an existing thread).

    You can displat the menu below by clicking the NoScript icon (the blue S) and choosing Temporarily all this page.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Firefox_Menu3.png

    If you are still experiencing issues with IE or Firefox, you could try emptying the cache of one or both browsers:

    The steps for doing this are detailed in the following support articles:

    Firefox:

    http://support.mozilla.org/en-US/kb/how-clear-firefox-cache

    I would also suggest ticking/enabling the options for all of the remaining checkboxes (and not just the cache) to clear out all saved webpages and data if you still are encountering issues.

    Internet Explorer:

    http://support.microsoft.com/kb/260897

    You could also try running the automated Internet Explorer Fix It repair tool available from the following link:

    http://support.microsoft.com/mats/ie_performance_and_safety/en-us

    If after all of the above steps you cannot reply to a forum thread, I would suggest either resetting Firefox to default settings or the equivalent with IE:

    The steps for doing this are detailed in the following support articles:

    Firefox:

    http://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

    Internet Explorer:

    http://support.microsoft.com/kb/923737

    I hope the above information is of assistance to you. Unfortunately I am not aware of another method to reply to you (this forum does not feature private messages), unless you wish to use an email address?

    Thank you.

    • Edited by JamesC_836 Tuesday, April 30, 2013 10:28 AM
    • Marked as answer by Machi12 Tuesday, April 30, 2013 12:56 PM
    Tuesday, April 30, 2013 10:26 AM

All replies

  • Hi Machi12,

    I am sorry to hear of the difficulties that you are facing in replying to the forum thread that you created on the 28th of April.

    I would first suggest that you check if JavaScript is enabled for your web browser. To do this for Firefox, follow these steps:

    1. Click the Firefox menu (which is colored orange) in the top left corner of the Firefox window.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Firefox_Menu1.png

    2. Click the Options and choose the Options sub-menu.

    3. Next click on the Content icon on the top row of the Options window. Make sure that the Enable JavaScript option is enabled (checked/ticked).

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Firefox_Menu2.png

    For Internet Explorer, follow these steps:

    To enable JavaScript:

    1. From the Tools menu, or the Tools drop-down in the upper right, choose Internet Options.
    2. Click the Security tab.
    3. Click Custom Level button.
    4. Scroll to the "Scripting" section of the list. Click Enable and click OK.
    5. Restart your browser.

    The Scripting option which shows that JavaScript is enabled is pictured below:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_JavaScript.png

    I primarily use IE 10 64 bit on Windows 7 64 bit SP1 to browse and use this forum. In an attempt to re-create the issue you are experiencing I also used Google Chrome Beta v27.0.1453.65 and Firefox 20.0.1. IE 10 and Google Chrome worked without issue. Firefox needed a small setting change as mentioned below (since I have the NoScript add-on installed).

    While creating the above steps, I encountered a very similar issue when trying to reply to an existing forum thread. If you are using the NoScript add-on, please ensure to at least temporarily allow all of the TechNet forum to execute JavaScript. When I temporarily allowed the forum website to do this using NoScript, I could successfully post a reply. Before this, nothing would happen (no error message appeared) when I clicked the reply button (to an existing thread).

    You can displat the menu below by clicking the NoScript icon (the blue S) and choosing Temporarily all this page.

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Firefox_Menu3.png

    If you are still experiencing issues with IE or Firefox, you could try emptying the cache of one or both browsers:

    The steps for doing this are detailed in the following support articles:

    Firefox:

    http://support.mozilla.org/en-US/kb/how-clear-firefox-cache

    I would also suggest ticking/enabling the options for all of the remaining checkboxes (and not just the cache) to clear out all saved webpages and data if you still are encountering issues.

    Internet Explorer:

    http://support.microsoft.com/kb/260897

    You could also try running the automated Internet Explorer Fix It repair tool available from the following link:

    http://support.microsoft.com/mats/ie_performance_and_safety/en-us

    If after all of the above steps you cannot reply to a forum thread, I would suggest either resetting Firefox to default settings or the equivalent with IE:

    The steps for doing this are detailed in the following support articles:

    Firefox:

    http://support.mozilla.org/en-US/kb/reset-preferences-fix-problems

    Internet Explorer:

    http://support.microsoft.com/kb/923737

    I hope the above information is of assistance to you. Unfortunately I am not aware of another method to reply to you (this forum does not feature private messages), unless you wish to use an email address?

    Thank you.

    • Edited by JamesC_836 Tuesday, April 30, 2013 10:28 AM
    • Marked as answer by Machi12 Tuesday, April 30, 2013 12:56 PM
    Tuesday, April 30, 2013 10:26 AM
  • Thanks JamesC .  I followed your suggestion and was able to reply to the original post .  I reset IE but have not had a chance to reset Firefox .  I will look into this later .  Thanks again .  Machi
    Tuesday, April 30, 2013 12:56 PM
  • Hi Machi12,

    That’s really good news. I am glad to hear that I was able to assist you.

    You should only reset Firefox if you need to i.e. if it is working fine, there is no need to.

    Take your time looking into any further issues with EMET, one of the other forum members or myself will be happy to assist you whenever you are ready.

    Thanks very much for marking my answer above as as being helpful and the solution, it’s much appreciated.

    Tuesday, April 30, 2013 1:36 PM
  • Hi JamesC .  You are welcome .  I was more than happy with your support .  I have been busy reconfiguring IE to be as close as possible to the security level I prefer .  It has been a sort of a trial and error approach to strike a balance between security and usability .  I noticed that if I enable " Strict P3P validation ` in the advanced menu the javascript void issue reappears .  So far I have determined that active scripting has to be enabled and Strict P3P validation has to be disabled .  I have no real idea what Strict P3P validation does .  A more important issue right now is that IE with Process ID 4680 shows as not running EMET in the GUI although IE is configured to do so .  It shows as running DEP .  I have two instances of IE running at the moment and EMET shows 3 Process ID`s for IE .  As I mentioned the Process ID for 4680 shows as not running EMET .  The other two ( Process ID 1376 and 4020 ) both show as running EMET .  I really don`t know what is happening here .  I will keep working on it .  Thanks again .  Machi
    Thursday, May 2, 2013 1:50 PM
  • Hi Machi12,

    Thanks for your update.

    If you have any further issues with EMET not protecting a single instance of IE, please create a new question and I will happy to assist you there.  Creating a new question simply makes it easier for others to search for solutions to specific issues. Solving more than one issue in a question can be harder for others to find and benefit from it.

    For your Internet Explorer settings, namely Strict P3P validation and Active Scripting, we can discuss them in this existing thread that you have updated today. I only make minor changes to my IE settings and I find this works best. I am happy to share these settings with you.

    I wanted to confirm, you are using EMET 3.5 Tech Preview with Internet EXplorer (IE) 9? You mentioned in your other thread that you are using Windows 7 64 bit. I will try to reproduce this issue later today and then try to resolve it. I look forward to hearing any further progress that you make.

    Thank you.

    -------------------------------------

    EDIT: 2nd May 2013:

    Using IE 9 (32 and 64 bit) with Windows 7 64 bit SP1 and EMET 3.5 Tech Preview. I could not reproduce this issue.

    As you can see from the screenshot below EMET is protecting all of IE’s processes. I started IE using shortcuts to the 64 bit and 32 bit versions. I then created separate InPrivate sessions from these. I also pinned websites to the taskbar (with and without InPrivate mode) enabled. Pinned websites and InPrivate sessions create separate IE parent processes and these new parent processes also have child processes:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_EMET_35_Tech_Preview.png

    Before this test, IE was added to the EMET list of configured applications by simply using these steps:

    Open EMET (the GUI)

    Click Configure Apps:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_35_Configure_Apps.png

    Click the Add button in the lower left corner of the window and browse to the location of Internet Explorer:

    32 bit: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    
    64 bit: C:\Program Files\Internet Explorer\iexplore.exe

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_35_Add_Application.png

    Here is a screenshot of the list of protected applications once these steps have been completed (only the 2x iexplore.exe entries near the end of the image are relevant):

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_EMET_35_Tech_Preview_Config_HL.png

    While I did not encounter any issues, if for some reason a process is not protected by EMET I have found that the following steps usually resolve this:

    Follow the instructions to open a command prompt window as mentioned in the following thread:

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/d319ca4a-51df-4ed2-9204-856dbf15a07e

    The final command you will enter using the command prompt will be (ignore the command for Windows Media Player in that thread):

    EMET_Conf.exe --set “*\iexplore.exe”

    EMET 4.0 Beta has a different way of achieving the same effect as mentioned in the following thread:

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/e3f1e6c8-cc88-4750-ae1f-1cae53759512

    I hope this helps. Thank you.

    -------------------------------------

    I realize that I broke my own advice of creating a new thread to troubleshoot this issue but I wanted to provide this additional info to you as soon as possible.


    • Edited by JamesC_836 Thursday, May 2, 2013 7:56 PM
    Thursday, May 2, 2013 2:46 PM
  • Hi JamesC .  Thank you very much for your reply .  I have spent quite a while taking screenshots and posting them to photobucket ( which I am not really familiar with ) .  I then had to upload the photos in my reply .  However after this rather lengthy process I clicked on `Submit`` and  was informed by TechNet webpage that ` Body text cannot contain images or links until we are able to verify your account `.  Your site does not give me any option to do that .  I used my regular verifiable email address to join the site so I have no idea what they are talking about .  It would be nice if they made this clear .  Do you have any idea how I go about doing this as I can find no information on the website .  Your help is much appreciated .  Machi

    Friday, May 3, 2013 12:59 AM
  • Hi Machi12,

    This restriction appears to be a recent change on the forum. When I setup my account in May last year my first post contained links (so did my 5th and 6th posts). My 7th post contained images. I never needed to take any action to allow me to do this.

    According to the following threads, accounts are usually verified after a set period of time (how long this actually is does not appear to known, the post by Richard Mueller in the 2nd thread mentions this):

    http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/b32ea85e-af56-4c1e-8ab2-0fc199fbc1df

    http://social.msdn.microsoft.com/Forums/en-US/reportabug/thread/11bf1d78-a5eb-4032-b470-4629eac29b0f

    Please post a reply in the following thread below, this thread is used to speed up the verification process and has already resolved the issue (of not being able to post images or links) for others who posted in that thread:

    Verify Your Account

    http://social.msdn.microsoft.com/Forums/en-US/reportabug/thread/812eb24a-ecbd-46e8-936b-8ae40da72ec3

    When you upload your screenshots to Photobucket, their site stores those images and you can then use the “Get Links” feature to obtain the direct link to that image and paste that link into the Image URL of this fourm as I mentioned in a previous thread:

    http://social.technet.microsoft.com/Forums/en-US/emet/thread/94933bd9-78a0-4e6a-b83d-976472ccfcec

    Images can be uploaded to Photobucket using the Upload button at the top of the image:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Photobucket4.png

    You can store images in albums (this is the same as folders on your PC and helps keep images organized).

    Hover over the image in your Photobucket library with your mouse pointer and in the top right corner, the gray “cog wheel” will appear. Click this and the following menu will appear. Click Get Links:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Photobucket1.png

    I find the Direct Link the easiest to use:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Photobucket2.png

    Right click this text and choose Copy. You can then paste this link anywhere you wish. When replying or creating a new post, place your cursor in the postition where you want your image in your post to appear (as if you are going to type a word in that position) and then click the insert image icon:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/EMET_Forum_Create_Post_With_Image.png

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Photobucket3.png

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/Photobucket5.png

    I began to use Photobucket because it allows you to reference your screenshots/photos while maintaining their full size (many sites reduce the images to smaller images (thumbnails)). Almost all forums allow the use of image links (in a similar way to what I described above for this forum) but only some allow you to upload images directly. In a worst case scenario, posting a link to an image will allow anyone to view that image on a separate page. The Direct Links I consistently post serve this purpose. They also allow users to easily download the images for their reference anytime they wish.

    I hope the above advice is some assistance to you. If I can assist any further, please let me know. My apologies that asking for assistance on this EMET forum has been far from simple.

    Thank you.

    Friday, May 3, 2013 9:49 AM
  • Hi JamesC .  Thanks for the reply .  I much appreciate the help .  I posted a message on the verification site you provided .  I have no idea how long this will take .  I also have no idea how they go about verifying ?  I noticed when the page was loading it stalled with a message " microsoft.com is not responding due to a long running script " which had a button option to " stop script " which I clicked of course and the page loaded normally .  I assume this is a security measure which helps in the verification process as I can see no other reason for this message ? I had already deduced that using the " direct link " on the photobucket site was the best option .  I am using a mixture of jpg and png images .  I assume both are ok ?  I had to take 5 separate screenshots for the advanced tab of IE to show all of my advanced settings .  I also took 2 screenshots of EMET gui ( including the configure apps page ) .  I am just waiting for verification to post them .  Talk to you soon I hope .  Thanks again .  Machi
    Friday, May 3, 2013 11:49 AM
  • Hi Machi12,

    It appears to take about 1 day to have your account verified (from a post in that thread by a user requesting it and another stating they were now able to post images). Like you, I don’t know what it involves. I am guessing it is a simple change that is made on the forum by a moderator to your account which won’t be visible to you and I.

    I had already deduced that using the " direct link " on the photobucket site was the best option . 

    Alright, sounds good.

    I am not sure what the long running script message is. I have never encountered it on this site, although I did get receive a message that the forum wasn’t responding about an hour ago.

    You’re right, JPG and PNG images are fine. Photobucket will only allow you to upload image formats it supports. I mainly use PNG but use JPG when I need to keep the download size of an image as small as possible (although PNG files are also very small in size).

    I will share my IE 9 Advanced Settings with you later today. Thanks.

    Friday, May 3, 2013 12:20 PM
  • Hi JamesC .  It looks like the site acknowledges verification by replying to your post from what I can see .  Acknowledgement looks to be quite speedy in some cases and up to about 3 days in others .  I don't know if they send you a verification email with a link included or not ?  Quite a mystery .  I will post the images when I am able to do so .  Thanks for everything .  Machi 
    Friday, May 3, 2013 12:42 PM
  • I will post the images when I am able to do so .  Thanks for everything .  Machi 

    Hi Machi12,

    I look forward to seeing them :)

    Please find below the Advanced Settings that I use with IE 9:

    -----------------------------------------------------------------------------------------------------

    Direct Links To Images:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_Adv_Settings_1.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_Adv_Settings_2.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_Adv_Settings_3.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_Adv_Settings_4.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_Adv_Settings_5.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE_9_Adv_Settings_6.png

    -----------------------------------------------------------------------------------------------------

    As you can see, I have not changed very much from the defaults. While increased security can be obtained from these settings, I am always aware that changing any browser settings can introduce compatibility issues.

    In summary, here is what I have changed:

    Enable (tick): International: Always show encoded address

    Disable (un-tick): Play Sounds in webpages

    Explanations of why these settings should be changed is available from the following in-depth article from the US Computer Emergency Response Team (CERT):

    http://www.us-cert.gov/publications/securing-your-web-browser

    One setting in particular that I recommend you leave at the default of disabled is Do not save encrypted pages to disk.” The following links explain why:

    http://blogs.msdn.com/b/ieinternals/archive/2011/05/07/downloads-and-flash-fail-when-do-not-save-encrypted-pages-to-disk-is-set.aspx

    http://blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx

    The vast majority of US-CERTs suggestions I have ignored e.g. setting the Internet Zone security level to high since this disables JavaScript that many sites need to work correctly. Indeed even features within IE work differently. While JavaScript is a significant attack vector for malware, IE was never really designed to have it turned off. E.g. the 10 clickable most visited sites on the new tab page of IE will no longer appear. This is a large drawback since I use these very often. I use the Favorites bar extremely often too but the 10 most popular sites links save me a lot of time.

    Also the settings for prompting with 1st and 3rd party cookies mentioned by US-CERT will very quickly begin to irritate you while you are trying to browse the internet. I simply set mine to allow 1st party cookies and block 3rd party cookies. I don’t receive any prompts/messages while browsing. Many internet users like to allow advertising (3rd party) cookies, but it’s a personal preference.

    Firefox using the No-Script add-on is a lot more convenient if you are visiting sites that you don’t trust and wish to keep JavaScript disabled.

    A discussion of what JavaScript is can be found in the following blog post:

    http://nakedsecurity.sophos.com/2013/01/16/java-is-not-javascript-tell-your-friends/

    I am also aware that using sites that you do trust actually offers little extra security due to watering-hole attacks:

    http://www.symantec.com/connect/blogs/internet-explorer-zero-day-used-watering-hole-attack-qa

    In addition, I have made the following small change to the Internet Security Zone (set to disabled):

    1. Open Internet Explorer, select Tools | Internet Options
    2. Click the Security tab
    3. Choose the desired zone (Internet, Local intranet, Trusted sites, or      Restricted Sites) and click Custom Level
    4. Scroll down to Launching programs and files in an IFRAME
    5. Select Disable to prevent iframes altogether or Prompt if you wish      to decide on a site-by-site basis.
    6. Click OK
    7. Repeat for each of the desired security zones.
    8. Click OK to exit the Internet Options menu.

    Source: http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/anyway-to-completely-disable-iframes/2f4c16cb-d7bf-4b97-a5d3-8e7a963af835

    My thanks to deepakmm for these steps.

    I have not encountered any issues with using this setting.

    If you wish you can also disable font downloads. This does make text look a little larger on some sites, so you may not wish to for this reason. The following link explains how to do this:

    http://blogs.technet.com/b/srd/archive/2011/12/13/more-information-on-ms11-087.aspx

    I recall that you mentioned Strict P3P validation, here is a link to information on this setting:

    http://www.microsofttranslator.com/bv.aspx?from=de&to=en&a=http%3A%2F%2Fblogs.technet.com%2Fb%2Fiede%2Farchive%2F2012%2F08%2F13%2Fas-75-strikte-p3p-220-berpr-252-fung-aktivieren.aspx

    I have left Strict P3P Validation disabled (the default setting).

    For me, I don’t have the time to rigorously test the effect of every setting of IE and so make as few changes as possible. While this makes my browser slightly more vulnerable to attack from malware/drive by downloads/exploits, I believe that you need to balance security with functionality and your time/patience.

    I am using IE 10 64 bit with Enhanced Protected Mode enabled for daily browsing installed on Windows 7 64 bit (I hope to migrate to Windows 8 64 bit in the coming months). The settings above are for IE 9 but IE 10 includes additional check boxes to enable Enhanced Protected Mode and Strict P3P Validation. I also prefer to not browse with any add-ons enabled by enabling ActiveX filtering. If I need to view a site that uses Flash, I can disable ActiveX filtering only for that site.

    Full details on these features are available from the following links:

    http://blogs.msdn.com/b/ie/archive/2012/03/14/enhanced-protected-mode.aspx

    http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx

    http://ie.microsoft.com/testdrive/Browser/ActiveXFiltering/About.html

    IE 10 also introduced increased security over IE 9:

    http://blogs.msdn.com/b/ie/archive/2012/03/12/enhanced-memory-protections-in-ie10.aspx

    Enhanced Protected Mode will not work smoothly for everyone since all add-ons will need to be compatible with it. Since I only have Adobe Flash 11.7 64 bit and Silverlight 5.1 64 bit installed, it is not an inconvenience to me. Since I also use a standard user Windows account for the daily use of my PC as well as protecting IE 10 with EMET 3.0, my risk while browsing I consider to be minimal while still enabling me to browse websites without annoying compatibility issues.

    Since I am using the 64 bit version of IE 10, I am a somewhat less vulnerable to shell code exploits since the shell code would need to be 64 bit to work with 64 bit IE 10. The EAF mitigation of EMET also helps.

    http://blogs.msdn.com/b/ieinternals/archive/2009/05/29/q-a-64-bit-internet-explorer.aspx

    The final version of EMET 4.0 will further increase security when it arrives (hopefully) this month.

    UPDATE 9th May 2013: According to the following blog post, the final version of EMET 4.0 has been delayed by 2 weeks and is now scheduled for release on the 28th of May 2013:

    http://blogs.technet.com/b/srd/archive/2013/05/08/emet-4-0-s-certificate-trust-feature.aspx

    The above settings are simply what work for me, but will not suit everyone. As I mentioned, we each need to find what works best for us, the majority of users can simply use the default settings.

    If you would like me to test if EMET 3.5 Tech Preview works with IE 10 on Windows 7, I can do so.

    I hope the above information is of assistance to you. I realize that you don’t mind long posts, but my apologies to those that dislike posts of this length.

    Thank you.

    • Edited by JamesC_836 Thursday, May 9, 2013 1:49 PM Updated with new info on final version of EMET 4.0
    Friday, May 3, 2013 4:15 PM
  • Hi JamesC .  Your security settings look quite similar to mine .  I also use IE 10 64 bit which from what I understand enhanced protected mode ( EPM ) has to be enabled to force IE 10 to use 64 bit ?  If it disabled then IE 10 will use 32 bit by default ?  Please correct me if I am wrong about this .  IE 9 which I upgraded a short while ago to IE 10 has separate 32 bit and 64 bit .  I always used the 64 bit for the extra security .  I hope IE 10 is indeed running 64 bit when EPM is selected ?  When I look at the IE running in EMET gui it shows each IE instance as Program Files \ IE and not Program Files (X86)  \IE which I suppose indicates that IE 10 X 64 is running . 

    I normally surf with Security settings on high and simply change what I have to depending on what site I am visiting .  I suppose most people would find this annoying and inconvenient but I think it is worth the effort .  One other thing I do and I am not sure if it really raises my security level :  I always have Outbound Windows Firewall set to Block unless allowed by a rule .  Inbound always set to Block all connections .  I simply do manual updates and set Outbound to allow briefly for that purpose .  Again most people would find that annoying  .  I am not sure if this adds any extra security at all ?  Perhaps you can enlighten me on this ? I also noticed there are a couple of extra settings in the Security ( not Advanced ) tab of IE 10 which were not there in IE 9 .  I can't recall exactly what they are right now and it seems a bit off topic for the purposes of this post .  Later I will take some screen shots of my Security settings and I can point them out then . 

    I haven't been verified yet so I am still unable to upload anything other than text .  I want to thank you again for helping me out .  Machi

    Friday, May 3, 2013 10:59 PM
  • Hi Machi,

    You are correct, with (Enhanced Protected Mode) EPM turned on, all instances of IE will be 64 bit, including the child processes. In addition, with or without EPM enabled the child processes only have low integritywhich also has security benefits. This was explained in the blog post that I previously linked to above.

    Please find Process Explorer screenshots showing the difference in the bit levels of these processes. In both cases, I used a shortcut pointing to the 64 bit version of IE 10 to launch it.

    No EPM:

    With EPM:

    Direct Links to Images:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE10_No_EPM.png

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE10_With_EPM.png

    Please also find a screenshot below showing EMET 3.5 Tech Preview protecting numerous mixed instances IE 10 64 bit with EPM enabled when launched as follows:

    • From a shortcut
    • From a shortcut with InPrivate mode enabled
    • From a pinned site on the taskbar
    • From a pinned site on the taskbar with InPrivate mode enabled.

    As you can observe from the following screenshot, all instances are protected by EMET. My decision to launch IE in several different ways was to show that the method of launch or the mode that IE is operating in should not affect whether EMET protects it or not:

    Direct Link to Image:

    http://i742.photobucket.com/albums/xx69/Jimboc/Microsoft/IE10_EMET_35.png

    Using a firewall that blocks all outbound connections unless allowed by a rule is essentially the same as a firewall that uses an application whitelist i.e. only allowing known reputable programs to access the internet. This will increase security but has the extra overhead that you need to manage this yourself using the rules. The firewall included with my security software, also uses a whitelist but this is automatically managed by it.

    Some firewalls block all inbound connections unless a known good/reputable program is allowed through using a rule. However the Windows 7 built-in Firewall works as follows:

    • The firewall blocks all inbound traffic, with the exception of traffic sent in response to a request sent by your computer and unsolicited traffic that has been allowed by creating a rule.
    • All outgoing traffic is allowed unless it matches a configured rule.

    The Windows 7 firewall also allows  protects your PC differently depending on which profile it is using e.g. connected to network domain (a corporate network), a private home network or a public network (e.g. Wi-Fi hotspot). There are other features to the Windows 7 firewall but I have not included them here since they are not relevant in this context.

    Your approach to inbound/outbound internet traffic seems fine to me but not everyone is prepared to be as “hands on” as you with how you manage them.

    I hope the above information answers your questions. I would be happy to provide any further assistance or advice that may require.

    My apologies for taking this thread off-topic several times.

    Thank you.

    Saturday, May 4, 2013 3:56 PM
  • Hi JamesC .  Sorry I didn't get back to you sooner .  As the saying goes the devil is in the details .  I can finally upload images so I am  including them .  Here are my Advanced IE ( 10 ) settings :

    What are the security issues ( if any ) of the following :   " Use software rendering instead of  GPU rendering "   ;  "Display accelerator button on selection " ;  " Enable FTP folder view ( outside of internet explorer " ;  " Enable visual styles on buttons and controls in webpages " ;  " Enable websites to use the search pane " ;   " Use passive FTP ( for firewall and DSL modem compatibility " ;  " Use HTTP 1.1 " ;  " Use HTTP 1.1 through proxy connections " ;  " Always show encoded addresses " ;  " Send IDN server names " ;  " Send UTF-8 URLs " ;  " Show notification bar for encoded addresses " ;  " Enable alternative codecs in HTML5 media elements " ;  " Do not save encrypted pages to disk " ;  " Enable DOM storage " ;  " Enable integrated windows authentication " ;  " Enable native XMLHTTP support " 
    I have also taken screenshots of my Security IE settings . As I mentioned in a previous post there are a few new settings present in IE 10 that were not there in IE 9 .  I will not include these in the present post as the current questions I am asking about the Advanced settings are sufficient for the present .
    I am not including the EMET images either .  I will include these in my original EMET thread as it would seem to be more relevant there .  Thanks again for all your help .  Machi

    Friday, May 10, 2013 3:25 PM
  • Hi Machi12,

    I am really glad to hear that your forum account has now been verified and that you can post links and images :)

    My apologies for not replying to you sooner. My availability/time has been limited lately and my responses are delayed due to this.

    Please find below my responses to your questions:

    -------------------------------------

    Use software rendering instead of GPU rendering:

    With this settings disabled i.e. not checked/ticked: There is a very small security risk if a flaw is discovered in DirectX that is used to render webpages via hardware acceleration. This type of render is different from WebGL(although WebGL has been strengthened in those 2 years). With EMET enabled for IE and Enhanced Protected Mode for IE 10 enabled, there is little to no risk. I have used GPU rendering since March 2011 with IE 9 (and now with IE 10) and never had any reason to be concerned about a security issue.

    Using software rendering means that you are using IE to render the webpage which will work but intensive pages such as HTML5 games or benchmarks may perform slowly using software rendering.

    You can leave this setting to what you have it set to now, feel free to change it any time.

    -------------------------------------

    Display accelerator button on selection:

    This is user interface option, it should not contribute any security risk. I would leave it ticked/enabled.

    -------------------------------------

    -------------------------------------

    Enable FTP folder view (outside of internet explorer):

    This is user interface option, it should not contribute any security risk. I would leave it ticked/enabled.

    -------------------------------------

    -------------------------------------

    Enable visual styles on buttons and controls in webpages

    This is user interface option, it should not contribute any security risk. I would leave it ticked/enabled.

    -------------------------------------

    -------------------------------------

    Enable websites to use the search pane

    This is a usability option, it should not contribute any security risk. I would leave it un-ticked/disabled (the default setting).

    -------------------------------------

    -------------------------------------

    Use passive FTP (for firewall and DSL modem compatibility):

    Formal description:

    This setting allows you to change the Internet Explorer FTP Client mode. You need to enable this setting if you have problems connecting to FTP sites using Internet Explorer when your system is behind a firewall. Please note that "Internet Explorer behaves as a Standard mode FTP client if you select the Enable folder view for FTP sites check box, even if you also select the Use Passive FTP check box. If you clear the Enable folder view for FTP sites check box and then select the Use Passive FTP check box, Internet Explorer behaves as a Passive mode FTP client".

    Summary: This is a usability option, it should not contribute any security risk. I would leave it ticked/enabled.

    -------------------------------------

    -------------------------------------

    Use HTTP 1.1:

    This setting should be enabled and should not pose any security risk.

    -------------------------------------

    -------------------------------------

    Use HTTP 1.1 through proxy connections:

    Description: This setting specifies whether to use HTTP 1.1 protocol when connecting to Web sites through proxy servers.

    This setting should be enabled and should not pose any security risk.

    -------------------------------------

    Always show encoded addresses:

    I would tick/enable this option for the reason that I previously mentioned in the US CERT Securing your Web Browser guide:

    http://www.us-cert.gov/publications/securing-your-web-browser

    -------------------------------------

    -------------------------------------

    Send IDN server names:

    The US CERT guide leaves this option enabled/ticked.

    -------------------------------------

    -------------------------------------

    Send UTF-8 URLs:

    The US CERT guide leaves this option enabled/ticked.

    -------------------------------------

    -------------------------------------

    Show notification bar for encoded addresses:

    The US CERT guide leaves this option enabled/ticked.

    -------------------------------------

    -------------------------------------

    Enable alternative codecs in HTML5 media elements:

    This option is discussed in the following thread:

    http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/thread/87d28bce-f80d-48fd-9f26-20e2290046c8

    I would leave it ticked/enabled as I would consider it a minimal security risk.

    -------------------------------------

    -------------------------------------

    Do not save encrypted pages to disk:

    As I previously mentioned, I recommend you leave this setting at the default of disabled/not ticked. The following links explain why:

    http://blogs.msdn.com/b/ieinternals/archive/2011/05/07/downloads-and-flash-fail-when-do-not-save-encrypted-pages-to-disk-is-set.aspx

    http://blogs.technet.com/b/fdcc/archive/2010/10/06/sticking-with-well-known-and-proven-solutions.aspx

    -------------------------------------

    -------------------------------------

    Enable DOM storage

    This setting is discussed in the following thread:

    http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/dom-storage-in-ie-toolsinternet/37933a29-aa33-44bf-997e-166e532860c4

    I would leave it ticked/enabled as I would consider it a minimal security risk.

    -------------------------------------

    -------------------------------------

    Enable integrated windows authentication:

    This setting is discussed in the following TechNet article:

    http://technet.microsoft.com/en-us/library/cc758557(v=WS.10).aspx

    I would leave it ticked/enabled as I would consider it a minimal security risk.

    -------------------------------------

    -------------------------------------

    Enable native XMLHTTP support:

    This setting is discussed in the following links:

    http://msdn.microsoft.com/en-us/library/ms537505(v=VS.85).aspx

    http://stackoverflow.com/questions/10347963/what-is-the-purpose-of-enable-native-xmlhttp-support-option-in-ie

    I would leave it ticked/enabled as I would consider it a minimal security risk.

    -------------------------------------

    In conclusion, the vast majority of Internet Explorer users will be better served by using the default Advanced Settings. It is extremely likely the default settings have been extensively tested to ensure maximum compatibility while also ensuring a more than adequate defence against malicious exploits.

    I hope the above information is of assistance to you. If you have any further questions, please let us know. Thank you.

    • Edited by JamesC_836 Sunday, May 12, 2013 3:39 PM Added further info
    Sunday, May 12, 2013 11:18 AM