Load pictures from Web pages must be disallowed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17751	DTOO152 - Excel	SV-33435r1_rule	ECSC-1	Medium

Description
When users open Web pages in Excel, Excel loads any graphics included in the pages, regardless of whether they were originally created in Excel. Allowing Excel to load graphics created in other programs can make Excel vulnerable to possible future zero-day attacks using graphic files as an attack vector. If such an event occurs, this setting can be used to mitigate the vulnerability.

STIG	Date
Microsoft Excel 2010	2014-01-07

Details

Check Text ( C-33918r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2010 -> Excel Options -> Advanced -> Web Options -> General “Load pictures from Web pages not created in Excel” must be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\excel\internet Criteria: If the value DoNotLoadPictures is REG_DWORD = 1, this is not a finding.

Check Text ( C-33918r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2010 -> Excel Options -> Advanced -> Web Options -> General “Load pictures from Web pages not created in Excel” must be set to “Disabled”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\14.0\excel\internet

Criteria: If the value DoNotLoadPictures is REG_DWORD = 1, this is not a finding.

Fix Text (F-29607r1_fix)
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2010 -> Excel Options -> Advanced -> Web Options -> General “Load pictures from Web pages not created in Excel” to “Disabled”.