| V-17187 | Medium | Disable Trust Bar Notification for unsigned application add-ins - InfoPath | By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will... |
| V-17184 | Medium | Block pop-ups for links that invoke instances of IE from within InfoPath. | The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of... |
| V-17183 | Medium | Block navigation to URL embedded in Office products to protect against attack by malformed URL. | To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007... |
| V-17667 | Medium | Disable sending the form template with the eMail form in InfoPath. | By default, InfoPath 2007 allows users to attach form templates when sending e-mail forms. If users are able to open form templates included with e-mail forms, rather than using a cached version... |
| V-17582 | Medium | Enable the Restriction on adding custom code to InfoPath forms. | By default, users can design new InfoPath 2007 forms that use custom code to add interactivity and other functionality to forms. Designers can add managed code written in C# and Visual Basic .NET,... |
| V-17580 | Medium | Control Forms Opening behavior for EMail forms containing code or scripts - InfoPath. | By default, InfoPath 2007 notifies and prompts users before opening InfoPath e-mail forms that contain code or script. If this restriction is relaxed, InfoPath will open e-mail forms that contain... |
| V-17663 | Medium | Disable opening of solutions from the Internet Security Zone - InfoPath. | Attackers could use InfoPath 2007 solutions published to Internet Web sites to try to obtain sensitive information from users.
By default, users can open InfoPath solutions that do not contain... |
| V-17764 | Medium | Prevent unsafe file types to be attached to InfoPath forms. | By default, users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath 2007... |
| V-17745 | Medium | Beaconing UI shown for forms opened in InfoPath - InfoPath | Malicious users can create InfoPath forms with embedded Web beacons that can be used to contact an external server when the user opens the form. Information could be gathered by the form, or... |
| V-17746 | Medium | Beaconing UI forms opened in Editor ActiveX - InfoPath | InfoPath 2007 makes it possible to host InfoPath forms in other applications as ActiveX controls. Such controls are known as InfoPath form controls.
A malicious user could insert a Web beacon into... |
| V-17668 | Medium | Disable sending "InfoPath 2003" forms as email forms in InfoPath 2007. | An attacker might target InfoPath 2003 forms to try and compromise an organization's security. InfoPath 2003 did not write a publish location for e-mail forms, which meant that forms could open... |
| V-17173 | Medium | Disable user name and password syntax from being used in URLs | The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to... |
| V-17646 | Medium | Disable the Information Rights Management feature for InfoPath. | By default, users can use Information Rights Management (IRM) in InfoPath 2007 to create forms that have restricted permission for specific people who will access the form. By using IRM, users can... |
| V-17174 | Medium | Enable IE Bind to Object functionality for instances of IE launched from InfoPath. | Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the... |
| V-17175 | Medium | Evaluate Saved from URL mark when launched from InfoPath. | Typically, when Internet Explorer loads a web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer... |
| V-17758 | Medium | Offline Mode enabled to cache queries for offline mode. | InfoPath 2007 can function in online mode or offline mode. It can also cache queries for use in offline mode. If offline mode is used and cached queries are enabled, sensitive information... |
| V-17658 | Medium | Disable Fully Trusted Solutions access to computers - InfoPath | By default, InfoPath 2007 users can choose whether to allow trusted forms to run on their computers. The Full Trust security level allows a form to access local system resources, such as COM... |
| V-17657 | Medium | Disable eMail forms running in Restricted Security Level - InfoPath. | InfoPath 2007 forms that run with the restricted security level can only access data that is stored on the forms. However, a malicious user could still send an e-mail form that runs with the... |
| V-17656 | Medium | Disable eMail forms from the Internet Security Zone for InfoPath. | InfoPath 2007 e-mail forms can be designed by an external attacker and sent over the Internet as part of a phishing attempt. Users might fill out such forms and provide sensitive information to... |
| V-17655 | Medium | Disable email forms from the Full Trust Security Zone - InfoPath | InfoPath provides three security levels for form templates: Restricted, Domain, and Full Trust. The security levels determine whether a form template can access data on other domains, or access... |
| V-17654 | Medium | Disable dynamic caching of the form template in InfoPath eMail forms. | By default, InfoPath 2007 caches form templates when they are attached to a mail item that is recognized as an InfoPath e-mail form. When users fill out forms that open with a restricted security... |
| V-17611 | Medium | Email with InfoPath forms to show UI to recipients. | Malicious users could send e-mail InfoPath forms with embedded Web beacons that can be used to track when recipients open the form and provide confirmation that recipients' e-mail addresses are... |
| V-17578 | Medium | Control behavior when opening forms in the Intranet Security Zone - InfoPath | When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location on the Local Intranet... |
| V-17579 | Medium | Control behavior when opening eMail forms in the Trusted Site Security Zone - InfoPath | When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location in the Trusted Sites... |
| V-17576 | Medium | Block redirection behavior for upgraded web sites by SharePoint - Infopath. | During a Windows SharePoint Services gradual upgrade, sites that have been upgraded remain available at their original URLs (for example, http://<company_name>/sites/SiteA), while sites that are... |
| V-17577 | Medium | Control "open forms" behavior for Internet Security zone - InfoPath | When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location on the Internet and... |
