This month we shipped a security update and bulletin (ms10-105) to address vulnerabilities in the .cgm, .tif, .fpx, and .pct image filters.  These filters are shipped with Microsoft Office to extend image rendering for applications.  Neither Office 2010 nor Office 2007 use filters to perform rendering by default.  Both use GDI+ instead.  Historically, if an image filter was incapable of rendering an image and GDI+ supported the image format, GDI+ would be asked to render the image.  GDI+ worked as a backup renderer.  The newer versions of Office have switched to using GDI+ as the default render and have also deprecated the use of some filters.

 

What the update does

 

The update will include an updated version of .pct filter to address a vulnerability found in that filter.  In addition to that the update makes GDI+ the default renderer on versions of Office prior to 2007 (as opposed to using the filters that ship with Office).  Beyond this, a filter allow-list was backported from Office 2010 and Office 2007 to downlevel versions of Office.  The  allow-list enables commonly used filters and disables other legacy filters.  However, if needed administrators can re-enable the legacy filters through a registry key.

 

Registry Location: HKLM\software\microsoft\office\common\security\allowlists\graphicsfilterimport
Name: AllowListEnabled
Type: DWORD
Description: This registry key controls whether an allow-listshould be used for image filters. If this registry key is set to 1, Office will look at other keys in the same registry location for filters to enable.  The filters to enable are specified by creating a new string value for each filter with a name of FILTER.FLT (where FILTER.FLT is the name of a real filter) and a value of the format XX.YY.ZZ.WW (where XX, YY, ZZ and WW specify the version of the filter).
Values:

  • Key not present (default)
    After the update has been installed, all versions of Office will default to routing GIF, PNG, JPG and BMP through GDI+. The PICT and EPS filters will be enabled.  All other filters will be disabled

  • Set to 1
    If the registry value is set to 1, it tells Office to use an allow-list based on the filters explicitly specified in the registry. If this value is set in the group policy hive then Office assumes the system administrator wants to control the filters and does not read any filter data from the machine hive.

  • Set to 0
    If the registry key is set to 0, all filters are enabled.

 

For more details on the allow-list and some examples of how to use it, please refer to the KB article at http://support.microsoft.com/kb/2479871.

 

Thanks to Modesto Estrada, the Office team, Brian Cavenah, and Andrew Roths for their efforts shipping this update.