Jump to content

Microsoft Office XP/2003/2007/2010 Graphic Filters "Allow List&#34


Ascii2

Recommended Posts

Microsoft TechNet Security Bulletin MS10-105 (link) describes an update that applies to (though not limited to) Microsoft Office 2003, Microsoft Office 2007, and Microsoft Office 2010.

One of the documented known issues of the update is the enforcement of a graphics filter "Allow List". The graphics filter "Allow List" and its functionality should be documented in the Microsoft Knowledge Base KB2479871 article (link to article).

From what I understand of the KB2479871 article documentation, the MS10-105 update, modifies the way Office 2003, Office 2007, and Office 2010 handles graphics and seems to qualify graphics formats against a list of permissible formats (the "Allow List"). Only the Bitmap (.bmp), Encapsulated PostScript (.eps), Graphics Interchange Format (.gif), Joint Photographic Experts Group (.jpg, .jpeg), Macintosh PICT (.pict), and Portable Network Graphics (.png) formats should be defined to be permitted by default. The display or use of formats other graphics should not be permitted by Microsoft Office (various versions).

I tried testing the "Allow List" behavior in Microsoft Office 2003. Microsoft Office 2003 should support the TIFF format, but the TIFF format should not be defined to be allowed/permitted on the Allow List (inferred from the information in the KB2479871 article). To test the behavior of the Allow List, I performed the following procedure on a computer with Windows XP Professional with Service Pack 2 and Microsoft Office 2003 installed:

  1. Apply the MS10-105 update for Microsoft Office 2003 with SP3, KB2289163 ("office2003-KB2289163-FullFile-ENU.exe").
  2. Reboot.
  3. Create TIFF image in Adobe Photoshop 7.0.1 import the image into a new Word document (".doc" type).
  4. Save and close the document.
  5. Open and examine the document using Microsoft Word.

During and after the procedure, I noticed that the TIFF image imported and displayed.

The expected result of the "Allow List" test was that the TIFF image would not display (and possibly not even import). However, the TIFF image, a format that should have not been permitted, displayed.

I have attached a copy of the document I created using the procedure above ("Image support test.doc"), as well as an archive ("Test_Image.zip") with the image used in the procedure ("Test_Image.tif").

Am I interpreting the function of the "Allow List" incorrectly? If so, what should the "Allow List" actually do?

Test_Image.zip

Image support test.doc

Edited by Ascii2
Link to comment
Share on other sites


I guess TIFF import doesn't go through filters. Procmon says it goes through GDIPlus, which in turn has some settings in

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus]

"DisableBMPCodec"=dword:0

...

"DisableTIFFCodec"=dword:0

There you can disable TIFF if you want to.

I myself just allow everything. :whistle:

GL

Link to comment
Share on other sites

I guess TIFF import doesn't go through filters. Procmon says it goes through GDIPlus, which in turn has some settings in

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus]

"DisableBMPCodec"=dword:0

...

"DisableTIFFCodec"=dword:0

There you can disable TIFF if you want to.

I myself just allow everything. :whistle:

GL

Thank you for the information GrofLuigi.

So it seems as though I should test using different image formats.

I also prefer to have everything enabled; however, it seemed that, as of MS10-105, every graphics filter except those except those explicitly specified to be enabled on an "Allow List" would be disabled. I also could not find documentation to disable the "Allow List".

I wanted to test the impact of the change if the MS10-105 update were applied and to test the impact on the Microsoft Office File Converter Pack (see my other related thread at ).

Edited by Ascii2
Link to comment
Share on other sites

I also could not find documentation to disable the "Allow List".

KB2479871 says: "To disable the "Allow List," the AllowListEnabled value must be set to 0."

I read that as "To disable the Allow List functionality".

I wanted to test the impact of the change if the MS10-105 update were applied and to test the impact on the Microsoft Office File Converter Pack (see my other related thread at ).

I guess it depends if the document contains any graphics that would need to be converted/imported... But logic sometimes doesn't apply to Microsoft... :unsure:

GL

Edited by GrofLuigi
Link to comment
Share on other sites

The KB2479871 article seems to have been update after my initial reading of it. Now the article is easier to understand.

I have tested the "Allow List" functionality. After applying MS10-105 or other newer update update regardless of whether or not they update the graphics or other filters) an "Allow List" is enforced and checked.

The "Allow List" behavior is not enforced for the, nor due to the update for Microsoft Office File Converter Pack (this has been tested using Microsoft Office File Converter Pack with Office 2000 and applying updates).

Unfortunately, to display all images correctly now, yet another registry modification should be configured.

For 32-bit versions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2007, and Microsoft Office 2010, the following information can be used to disable the graphics filters "Allow List": (Thanks GrofLuigi for making reference to it)

(Copy below contents and save as am ANSI-encoded text file ending in a black line and merge file to Windows registry)

REGEDIT4

; Applies to Office XP, Office 2003, Office 2007, and 32-bit Office 2010.

; Updates as of MS10-105 (update dated November 12, 2010),
; a graphics filter whitelist ("Allow List") is checked and enabled by default (KB2479871).

; AllowListEnabled value data of 0 disables the "Allow List"; value data of 1 enables the Allow List.

; This setting may be overridden by policy setting at the
; HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\Common\Security\AllowLists\GraphicsFilterImport key.


; Disable "Allow List" restriction
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\Security\AllowLists\GraphicsFilterImport]
"AllowListEnabled"=dword:00000000

; Default
;"AllowListEnabled"=-

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...