Title

The loading of images from web pages must not be allowed. (Cat II impact)

Discussion

When users open web pages in Excel, Excel loads any graphics included in the pages, regardless of whether or not they were originally created in Excel. Allowing Excel to load graphics created in other programs can make Excel vulnerable to possible future zero-day attacks using graphic files as an attack vector. If such an event occurs, this setting can be used to mitigate the vulnerability.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2013 -> Excel Options -> Advanced -> Web Options -> General "Load pictures from Web pages not created in Excel" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\excel\internet Criteria: If the value "DoNotLoadPictures" is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2013 -> Excel Options -> Advanced -> Web Options -> General "Load pictures from Web pages not created in Excel" to "Disabled".

Additional Identifiers

Rule ID: SV-53820r1_rule

Vulnerability ID: V-17751

Group Title: DTOO152 - Load pics from Web not in Excel

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.