Microsoft Security Advisory 4038556

Guidance for securing applications that host the WebBrowser Control

Published: August 8, 2017

Version: 1.0

Executive Summary

Microsoft is releasing this security advisory to provide information regarding security settings for applications developed with the Microsoft Internet Explorer layout engine, also known as the Trident layout engine. This advisory also provides guidance on what developers and individuals can do to ensure that their applications hosting the WebBrowser Control are properly secured.

Advisory Details

Internet Explorer provides several Internet feature controls, also called feature control keys, that are stored in the registry and are responsible for enhancing the browsing experience, improving support for industry standards, and improving security. Microsoft has documented these Internet feature control keys and recommends enabling specific feature control keys for security reasons. Microsoft strongly encourages all developers hosting the WebBrowser Control in their application to review the security-related feature control keys and to enable them.

Developer-Specific Information

Application developers have two methods available to them for settings feature control keys, which are documented in the Enabling and Disabling Features section of Introduction to Feature Controls.

Note: Not all feature control keys can be set with the Feature Control Functions and will instead be required to be set via the registry.

User-Specific Information

Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for all applications or for specific applications that they know host the WebBrowser Control.

Warning If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

All applications

For example, to set a feature control to disable the “about” protocol for all applications using the WebBrowser Control:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7
  1. On the Edit menu, select New > DWORD.
  2. Name the new DWORD registry item as *
  3. Right click the new registry item and select Modify
  4. In the Edit DWORD (32-bit) Value dialog box, type 1 in the Value data field and click OK to close.

Specific applications

For example, to set a feature control to disable the “about” protocol for the “contoso.exe” application using the WebBrowser Control:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7
  1. On the Edit menu, select New > DWORD.
  2. Name the new DWORD registry item as contoso.exe
  3. Right click the new registry item and select Modify
  4. In the Edit DWORD (32-bit) Value dialog box, type 1 in the Value data field and click OK to close.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 8, 2017): Advisory published.

Page generated 2017-08-07 15:55-07:00.