How to disable JScript execution in Internet Explorer

0
54
How To Fix Windows 10 Update Problem On KB4549951
How To Fix Windows 10 Update Problem On KB4549951

How to disable JScript execution in Internet Explorer.

To be able to disable JScript execution in Internet Explorer you will first have to install the IE Cumulative security update- Applies to: Internet Explorer 11 on Windows 10Internet Explorer 11 on Windows 8.1 UpdateInternet Explorer 10 on Windows Server 2012.

This security update resolves several reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Internet Explorer. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures. Also, this security update includes several nonsecurity-related fixes for Internet Explorer.
Additionally, see Windows 10 and Windows Server 2016 update history for more information on cumulative updates for Windows 10 and Windows Server 2016.
Important
  • The fixes included in this Security Update for Internet Explorer 4014661 are also included in the April 2017 Security Monthly Quality Rollup. Installing either the Security Update for Internet Explorer or the Security Monthly Quality Rollup installs the fixes that are resolved with this update.
  • If you use update management processes other than Windows Update and you automatically approve all security updates classifications for deployment, this Security Update for Internet Explorer 4014661, the April 2017 Security Only Quality Update, and the April 2017 Security Monthly Quality Rollup are deployed. We recommend that you review your update deployment rules to make sure the desired updates are deployed.
  • This Security Update for Internet Explorer is not applicable for installation on a computer where the Security Monthly Quality Rollup or the Preview of Monthly Quality Rollup from April 2017 (or a later month) is already installed, as those updates contain all fixes in this Security Update for Internet Explorer.

If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Additionally, before toggling off IE JScript execution on Windows 8, Windows 8.1, and Windows 10 versions 1507 up to 1709, it must be enabled using an Internet feature control key — instructions on how to configure such a key are available below.

Feature Controls.

  • IFrame Mailto Threshold
  • Image MIME Type Determination
  • Information Bar Handling
  • Input Prompt Blocking
  • IViewObject Legacy Drawing
  • Legacy Input Model
  • Legacy Compression Support
  • Local Machine Lockdown
  • Local Image Blocking
  • Local Object Blocking
  • Local Script Blocking
  • Related topics

IFrame Mailto Threshold

Windows Internet Explorer 9. For security reasons, Windows Internet Explorer counts the number of requests to the mailto protocol made from an iframe element. When the number of such requests exceeds a certain limit within a certain period of time, additional requests are delayed to limit malicious behavior. The FEATURE_IFRAME_MAILTO_THRESHOLD feature controls these restrictions.

By default, this feature is enabled for Internet Explorer and disabled for applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_IFRAME_MAILTO_THRESHOLD
                     contoso.exe = (DWORD) 00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Image MIME Type Determination

By default, Internet Explorer verifies images downloaded from a web server to determine the content type of the image. If the image data cannot be recognized and the web server specifies a MIME type for the image, Internet Explorer displays the image according to the MIME type value when the FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE feature is enabled. If the feature is disabled, Internet Explorer tries to evaluate unrecognized image data as other MIME types, such as XML and HTML.

By default, this feature is enabled for Internet Explorer and for applications hosting the WebBrowser Control. To disable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE
                     contoso.exe = (DWORD) 00000000

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Information Bar Handling

The FEATURE_SECURITYBAND feature controls the display of the Internet ExplorerInformation bar. When enabled, the Information bar appears when file download or code installation is restricted.

By default, this feature is enabled for Internet Explorer and for disabled applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_SECURITYBAND
                     contoso.exe = (DWORD) 00000000

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Input Prompt Blocking

Windows Internet Explorer 7. When enabled, the FEATURE_BLOCK_INPUT_PROMPTS feature allows the pop-up blocker to block JavaScript input prompts, such as the dialog box displayed by the prompt method of the window object. This helps prevent spoofing attacks.

By default, this feature is enabled for Internet Explorer and for disabled applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_BLOCK_INPUT_PROMPTS
                     contoso.exe = (DWORD) 00000000

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

IViewObject Legacy Drawing

Internet Explorer 9. By default, the WebBrowser Control uses Microsoft DirectX to render webpages, which might cause problems for applications that use the Draw method to create bitmaps from certain webpages. In Internet Explorer 9, this method returns a bitmap (in a Windows Graphics Device Interface (GDI) wrapper) instead of a GDI metafile representation of the webpage. When the FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI feature is enabled, the following conditions cause the Draw method to use GDI instead of DirectX to create the resulting representation. The GDI representation will contain text records and vector data, but is not guaranteed to be similar to the same represenation returned in earlier versions of the browser:

By default, this feature is enabled for applications hosting the WebBrowser Control. This feature is ignored by Internet Explorer and Windows Explorer. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI
                     contoso.exe = (DWORD) 00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Legacy Input Model

Windows 8 introduces a new input model that is different from the Windows 7 input model. In order to provide the broadest compatibility for legacy applications, the WebBrowser Control for Windows 8 emulates the Windows 7 mouse, touch, and pen input model (also known as the legacy input model).

When the legacy input model is in effect, the following conditions are true:

  • Windows pointer messages are not processed by the Trident rendering engine (mshtml.dll).
  • Document Object Model (DOM) pointer and gesture events do not fire.
  • Mouse and touch messages are dispatched according to the Windows 7 input model.
  • Touch selection follows the Windows 7 model (“drag to select”) instead of the Windows 8 model (“tap to select”).
  • Hardware accelerated panning and zooming is disabled.
  • The Zoom and Pan Cascading Style Sheets (CSS) properties are ignored.

The FEATURE_NINPUT_LEGACYMODE feature control determines whether the legacy input model is enabled. By default, the feature is disabled for Internet Explorer and enabled for applications hosting the WebBrowser Control. To disable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_NINPUT_LEGACYMODE
                     contoso.exe = (DWORD) 00000000

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Legacy Compression Support

Internet Explorer 7 consolidated HTTP compression and data manipulation into a centralized component in order to improve performance and to provide greater consistency between transfer encodings (such as HTTP no-cache headers). For compatibility reasons, the original implementation was left in place. When the FEATURE_DISABLE_LEGACY_COMPRESSION feature is disabled, the original compression implementation is used.

By default, this feature is enabled for Internet Explorer and for applications hosting the WebBrowser Control. To disable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_DISABLE_LEGACY_COMPRESSION
                     contoso.exe = (DWORD) 00000000

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Local Machine Lockdown

When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user’s local machine, which helps prevent malicious behavior involving local files:

  • Scripts, Microsoft ActiveX controls, and binary behaviors are not allowed to run.
  • Object safety settings cannot be overridden.
  • Cross-domain data actions require confirmation from the user.

By default, this feature is enabled for Internet Explorer and disabled for applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_LOCALMACHINE_LOCKDOWN
                     contoso.exe = (DWORD) 00000001

Note  This feature can be enabled only by using the registry; it cannot be enabled using the CoInternetSetFeatureEnabled function.

 

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Note  The Mark of the Web (MOTW) allows Internet Explorer to load local content in the Internet zone. For more information, see Mark of the Web.

 

Local Image Blocking

Internet Explorer 7 and later. When enabled, the FEATURE_BLOCK_LMZ_IMG feature allows images stored in the Local Machine zone to be loaded only by webpages loaded from the Local Machine zone or by ebpages hosted by sites in the Trusted Sites list. For more information, see Security and Compatibility in Internet Explorer 7.

By default, this feature is enabled for Internet Explorer and disabled for applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_BLOCK_LMZ_IMG
                     contoso.exe = (DWORD) 00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Local Object Blocking

Internet Explorer 7 and later. When enabled, the FEATURE_BLOCK_LMZ_OBJECT feature allows objects stored in the Local Machine zone to be loaded only by webpages loaded from the Local Machine zone or by webpages hosted by sites in the Trusted Sites list. For more information, see Security and Compatibility in Internet Explorer 7.

By default, this feature is enabled for Internet Explorer and disabled for applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_BLOCK_LMZ_OBJECT
                     contoso.exe = (DWORD) 00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

Local Script Blocking

Internet Explorer 7 and later. When enabled, the FEATURE_BLOCK_LMZ_SCRIPT feature allows scripts stored in the Local Machine zone to be run only in webpages loaded from the Local Machine zone or by webpages hosted by sites in the Trusted Sites list. For more information, see Security and Compatibility in Internet Explorer 7.

By default, this feature is enabled for Internet Explorer and disabled for applications hosting the WebBrowser Control. To enable this feature by using the registry, add the name of your executable file to the following setting.

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
   SOFTWARE
      Microsoft
         Internet Explorer
            Main
               FeatureControl
                  FEATURE_BLOCK_LMZ_SCRIPT
                     contoso.exe = (DWORD) 00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000.

To manually toggle off IE JScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone, you need to go through the following procedure:

  1. Click Start, click Run, type regedt32 or regedit, and then click Ok.
  2. To disable JScript execution in Internet Zone, locate the following registry subkey in Registry Editor:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\140D

    To disable JScript execution in Restricted Sites Zone, locate the following registry subkey in Registry Editor:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\140D

  3. Right-click the appropriate registry subkey, and then click Modify.
  4. In the Edit DWORD (32-bit) Value dialog box, type 3.
  5. Click OK, and then restart Internet Explorer.

After this, Internet Explorer will no longer run JScript from sites using IE legacy document modes (IE9 and earlier versions), as well as one those that are in the Internet Zone or Restricted Sites Zone.

To re-enable JScript execution for one or both security sones, you will have to set the value of the corresponding registry subkey to 0 and to restart Internet Explorer for the change to be applied.

JScript can also be blocked from executing scripts for emulated apps (including 32-bit programs running on 64-bit machines) by following the steps available in this advisory.

JScript and zero-day security vulnerabilities

Two actively exploited zero-day vulnerabilities were found in the JScript scripting engine and patched by Microsoft since September 2019.

Both of them were remote code execution (RCE) scripting engine memory corruption vulnerabilities stemming from the way the scripting engine handled objects in memory in Internet Explorer 9, 10, and 11.

CVE-2019-1367 was reported in September 2019 and CVE-2020-0674 in January 2020 by Clément Lecigne of Google’s Threat Analysis Group.

The two zero-days were actively exploited in targeted attacks and, according to Microsoft, if the currently logged on user has administrative permissions on a compromised device, attackers could take over the system after successful exploration, installing programs and manipulating data, as well as creating rogue accounts with full user rights.

Attackers could also exploit the zero-days using a maliciously crafted website that will remotely execute commands on the visitor’s computer without their knowledge or permission when visited using a vulnerable Internet Explorer version.

“Microsoft will continue to provide security updates for JScript via the latest cumulative updates for Windows 10, and Cumulative Updates for Internet Explorer 11 or Monthly Rollups for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard,” Microsoft says.

“If you have automatic updates enabled, updates will be automatically downloaded and installed on your users’ devices. If you have disabled automatic updates for your organization, you will need to check for updates and install them manually.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here