Windows - Security - Mitigate Browser Information Disclosure Vulnerability

What the CVE-2017-8529 mitigation Worklet does

This Automox Worklet™ enforces the registry configuration Microsoft published as the official mitigation for CVE-2017-8529, the Internet Explorer information disclosure vulnerability. The Worklet writes the iexplore.exe DWORD value 1 under FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, covering both the native 64-bit registry view and the 32-bit WOW6432Node view so the protection applies regardless of which IE bitness is installed.

Evaluation and remediation share the same EvaluateRegistry function, which opens HKEY_LOCAL_MACHINE through Microsoft.Win32.RegistryKey.OpenBaseKey, selects the correct RegistryView based on Is64BitOperatingSystem, and confirms that the value name, value, and DWORD type all match the desired state. Any mismatch flags the endpoint for remediation; remediation rewrites the value through CreateSubKey and SetValue.

The Worklet is idempotent. Endpoints already at the desired state report compliant and exit 0 without writing to the registry. Endpoints with a drifted or missing value are rewritten through RemediateRegistry, and each remediated path is logged with a confirmation line containing the iexplore.exe value name and the registry path that was set.

Why mitigate CVE-2017-8529 at fleet scale

CVE-2017-8529 lets an attacker hosting malicious web content detect whether specific files exist on the user's endpoint. The information disclosure does not give direct code execution, but it gives the attacker a reconnaissance primitive that pairs cleanly with a second-stage exploit targeted to the files that were confirmed present. Microsoft published the registry mitigation rather than a binary patch, so endpoints that never receive a manual configuration step remain exposed even after every monthly cumulative update lands.

The mitigation is a single DWORD per architecture view under HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX, and it only counts when every Windows endpoint in scope actually carries it. Apply this Worklet through a vulnerability-remediation policy that targets your workstations and servers so the iexplore.exe DWORD lands from a single configuration. Schedule a recurring evaluation so the mitigation is reasserted when an admin reverts the value, a profile copy strips it, or a freshly imaged endpoint joins the policy group without the value in the gold image.

How the CVE-2017-8529 registry mitigation works

1. Evaluation phase: Calls EvaluateRegistry against both target paths: SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX and SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX. Each path is checked for the iexplore.exe value, the DWORD type, and the value 1. Any missing path, missing value, wrong type, or wrong data flags the endpoint for remediation and exits 1; full match exits 0.

2. Remediation phase: Re-runs EvaluateRegistry, collects every input that did not match, then calls RemediateRegistry on each one. RemediateRegistry opens HKEY_LOCAL_MACHINE in the correct architecture view (Registry64 on 64-bit Windows, Registry32 otherwise), calls CreateSubKey to create the path if it does not already exist, and SetValue to write iexplore.exe as DWORD 1. The script writes a confirmation line per remediated value and exits 0.

CVE-2017-8529 mitigation requirements

• Windows endpoint with Internet Explorer present (the FeatureControl path exists only when IE is installed, which is the standard configuration through Windows 10 and on Windows Server)

• PowerShell v3 or higher

• Local administrator context to write under HKEY_LOCAL_MACHINE (the Automox agent runs at this level by default)

• No parameters to set; the registry inputs are predefined in the script and match the values published in the Microsoft Security Response Center advisory

• Recurring policy schedule recommended so any subsequent rollback of the value is caught on the next evaluation

Expected post-mitigation registry state

After the Worklet runs, both registry paths contain the iexplore.exe DWORD value with data set to 1. Verify with reg query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" /v iexplore.exe, and the matching WOW6432Node path. Both queries should return REG_DWORD 0x1. The Automox Activity Log records the exact registry name and path that RemediateRegistry wrote, giving you a per-endpoint audit trail for the CVE-2017-8529 mitigation.

Subsequent evaluations exit 0 with the message Device is compliant with the desired registry configuration. If a future Group Policy change, profile copy, or admin action removes the value, the next evaluation reads the missing DWORD and the remediation script rewrites the iexplore.exe value under FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX on the next policy run. Microsoft has not retired the registry mitigation, so the configuration remains the supported guard for CVE-2017-8529 even after Internet Explorer reaches end-of-support on a given Windows release.