IMPORTANT This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.
Summary
The event log for Internet Explorer has a custom security descriptor (CustomSD) defined which lets any authenticated domain user (non-administrator) connect and receive a handle to the event log. This lets any authenticated user in the domain receive a handle to the event log (even on a different device or a different domain-joined device or a different domain controller) and write log files to the event log. This behavior might cause a temporary denial of service because the target device’s storage system can be filled up by a remote authenticated user. This can make the device unusable until the extraneous files are deleted.
CVE-2022-37981 implements a change of behavior that restricts a Domain User account from accessing the Internet Explorer event log. This change of behavior is included in the Windows security updates dated on or after October 2022.
This change of behavior allows for the following:
-
Allow all access to a Domain Administrator
-
Allow all access to a Local Administrator
-
Deny all access to a Domain User
-
Allow all access to everyone
Workaround
WARNING This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
Specifically, if you use this workaround, an authenticated user in the domain might write log files to the event log which could cause a temporary denial of service and cause the device to be unusable.
To revert to the behavior prior to installing the October 2022 security update, change the Internet Explorer security descriptors in the registry.
IMPORTANT This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
KB322756: How to back up and restore the registry in Windows
Change the following CustomSD value:
|
Registry key |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
CustomSD value |
|
To the following CustomSD value:
|
Registry key |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
CustomSD value |
|
More information
The following is the behavior before and after installing the October 2022 security update.
|
Access |
Behavior before |
Behavior after |
|
Domain administrator |
Allow |
Allow |
|
Local administrator |
Allow |
Allow |
|
Domain user (non-administrator) |
Allow |
Deny |
|
Local user |
Allow |
Allow |
|
Service account |
Allow |
Allow |
|
All other accesses |
Allow |
Allow |
After installing the October 2022 security update, a domain user will be unable to access the Internet Explorer event log on the domain controller. This change of behavior prevents a temporary distributed denial of service. However, an administrators account on the domain controller can change the CustomSD value to a previous value for any application logic as needed.
