This month we shipped a security update and bulletin (ms10-105) to address vulnerabilities in the .cgm, .tif, .fpx, and .pct image filters. These filters are shipped with Microsoft Office to extend image rendering for applications. Neither Office 2010 nor Office 2007 use filters to perform rendering by default. Both use GDI+ instead. Historically, if an image filter was incapable of rendering an image and GDI+ supported the image format, GDI+ would be asked to render the image. GDI+ worked as a backup renderer. The newer versions of Office have switched to using GDI+ as the default render and have also deprecated the use of some filters.
What the update does
The update will include an updated version of .pct filter to address a vulnerability found in that filter. In addition to that the update makes GDI+ the default renderer on versions of Office prior to 2007 (as opposed to using the filters that ship with Office). Beyond this, a filter allow-list was backported from Office 2010 and Office 2007 to downlevel versions of Office. The allow-list enables commonly used filters and disables other legacy filters. However, if needed administrators can re-enable the legacy filters through a registry key.
Registry Location: HKLM\software\microsoft\office\common\security\allowlists\graphicsfilterimportName: AllowListEnabledType: DWORDDescription: This registry key controls whether an allow-listshould be used for image filters. If this registry key is set to 1, Office will look at other keys in the same registry location for filters to enable. The filters to enable are specified by creating a new string value for each filter with a name of FILTER.FLT (where FILTER.FLT is the name of a real filter) and a value of the format XX.YY.ZZ.WW (where XX, YY, ZZ and WW specify the version of the filter).Values:
For more details on the allow-list and some examples of how to use it, please refer to the KB article at http://support.microsoft.com/kb/2479871.
Thanks to Modesto Estrada, the Office team, Brian Cavenah, and Andrew Roths for their efforts shipping this update.