Check: DTOO197 - Office
Microsoft Office System 2007:
DTOO197 - Office
(in versions v4 r15 through v4 r14)
Title
Disable Smart Documents use of Manifests in Office (Cat II impact)
Discussion
An XML expansion pack is the group of files that constitutes a Smart Document in Excel 2007 and Word 2007. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs 2007 Office how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack. XML expansion packs can be used to initialize and load malicious code, which might affect the stability of a computer and lead to data loss. By default, 2007 Office applications can load an XML expansion pack manifest file with a Smart Document.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Smart Documents (Word, Excel) “Disable Smart Document's use of manifests” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag Criteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.
Fix Text
The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Smart Documents (Word, Excel) “Disable Smart Document's use of manifests” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."
Additional Identifiers
Rule ID: SV-18834r1_rule
Vulnerability ID: V-17669
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |