Title

Do not Load pictures from web pates not created in Excel (Cat II impact)

Discussion

By default, when users open Web pages in Excel 2007, Excel loads any graphics that are included in the pages, regardless of whether they were originally created in Excel. Allowing Excel to load graphics created in other programs can make Excel vulnerable to possible future zero-day attacks that use graphic files as an attack vector. If such an event occurs, this setting can be used to mitigate the vulnerability.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Excel 2007 -> Excel Options -> Advanced -> Web Options -> General “Load pictures from Web pages not created in Excel” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Excel\Internet Criteria: If the value DoNotLoadPictures is REG_DWORD = 1, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Excel 2007 -> Excel Options -> Advanced -> Web Options -> General “Load pictures from Web pages not created in Excel” will be set to “Disabled”.

Additional Identifiers

Rule ID: SV-18941r1_rule

Vulnerability ID: V-17751

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.