Описание
Microsoft Browser Information Disclosure Vulnerability
An information disclosure vulnerability exists when affected Microsoft scripting engines do not properly handle objects in memory. The vulnerability could allow an attacker to detect specific files on the user's computer. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability.
In addition, compromised websites and websites that accept or host user-generated content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site.
An attacker who successfully exploited the vulnerability could potentially read data that was not intended to be disclosed. Note that the vulnerability would not allow an attacker to either execute code or to elevate a user’s rights directly, but the vulnerability could be used to obtain information in an attempt to further compromise the affected system.
The security update addresses the vulnerability by helping to restrict what information is returned to affected Microsoft browsers.
FAQ
After I install the updates for CVE-2017-8529, is there anything else I need to do to be protected from this vulnerability? Yes. With the rerelease of CVE-2017-8529 Microsoft has addressed previously known print issues related to this vulnerability; however, to prevent the potential for any further print regressions, the solution for CVE-2017-8529 is turned off by default. To be fully protected from this vulnerability, you need to do the following after installing the update:
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Note If you have previously configured the FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX subkey, double-click the iexplore.exe DWORD and then follow Step 7 to change the value.
For 32-bit and 64-bit systems:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\ - Right-click FeatureControl, point to New, and then click Key.
- Type FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, and then press Enter to name the new subkey.
- Right-click FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, point to New, and then click DWORD Value.
- Type "iexplore.exe" for the new DWORD value.
- Double-click the new DWORD value named iexplore.exe and change the Value data field to 1.
- Click OK to close.
For 64-bit systems only:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\ - Right-click FeatureControl, point to New, and then click Key.
- Type FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, and then press Enter to name the new subkey.
- Right-click FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, point to New, and then click DWORD Value.
- Type "iexplore.exe" for the new DWORD value.
- Double-click the new DWORD value named iexplore.exe and change the Value data field to 1.
- Click OK to close. If you need to disable the solution for CVE-2017-8529, do the following:
For 32-bit and 64-bit systems:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX - Double-click the value named iexplore.exe and change the Value data field to 0.
- Click OK to close.
For 64-bit systems only:
- Click Start, click Run, type regedt32 or type regedit, and then click OK.
- In Registry Editor, locate the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX - Double-click the value named iexplore.exe and change the Value data field to 0.
- Click OK to close.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Edge (EdgeHTML-based) on Windows Server 2016 | ||
| Internet Explorer 11 on Windows 10 Version 1703 for 32-bit Systems | ||
| Internet Explorer 11 on Windows 10 Version 1703 for x64-based Systems | ||
| Internet Explorer 11 on Windows Server 2016 | ||
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1703 for 32-bit Systems | ||
| Microsoft Edge (EdgeHTML-based) on Windows 10 Version 1703 for x64-based Systems | ||
| Internet Explorer 10 on Windows Server 2012 | ||
| Internet Explorer 11 on Windows 8.1 for 32-bit systems | ||
| Internet Explorer 11 on Windows 8.1 for x64-based systems | ||
| Internet Explorer 11 on Windows Server 2012 R2 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to detect specific files on the user's computer when affected Microsoft scripting engines do not properly handle objects in memory, aka "Microsoft Browser Information Disclosure Vulnerability".
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to detect specific files on the user's computer when affected Microsoft scripting engines do not properly handle objects in memory, aka "Microsoft Browser Information Disclosure Vulnerability".
EPSS
4.3 Medium
CVSS3