Guidance for securing applications that host the WebBrowser Control
Published: August 8, 2017
Version: 1.0
Executive Summary
Microsoft is releasing this security advisory to provide information regarding security settings for applications developed with the Microsoft Internet Explorer layout engine, also known as the Trident layout engine. This advisory also provides guidance on what developers and individuals can do to ensure that their applications hosting the WebBrowser Control are properly secured.
Advisory Details
Internet Explorer provides several Internet feature controls, also called feature control keys, that are stored in the registry and are responsible for enhancing the browsing experience, improving support for industry standards, and improving security. Microsoft has documented these Internet feature control keys and recommends enabling specific feature control keys for security reasons. Microsoft strongly encourages all developers hosting the WebBrowser Control in their application to review the security-related feature control keys and to enable them.
Note: Not all feature control keys can be set with the Feature Control Functions and will instead be required to be set via the registry.
User-Specific Information
Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for all applications or for specific applications that they know host the WebBrowser Control.
Warning If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
All applications
For example, to set a feature control to disable the “about” protocol for all applications using the WebBrowser Control:
Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry folder:
Right click the new registry item and select Modify.
In the Edit DWORD (32-bit) Value dialog box, type 1 in the Value data field and click OK to close.
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
As an Information Security Administrator, you plan and implement information security of sensitive data by using Microsoft Purview and related services. You’re responsible for mitigating risks by protecting data inside collaboration environments that are managed by Microsoft 365 from internal and external threats and protecting data used by AI services. You also implement information protection, data loss prevention, retention, insider risk management, and manage information security alerts and activities.