Disable dynamic caching of the form template in InfoPath eMail forms.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17654	DTOO169	SV-53378r1_rule		Medium

Description
By default, InfoPath 2007 caches form templates when they are attached to a mail item that is recognized as an InfoPath e-mail form. When users fill out forms that open with a restricted security level, InfoPath uses the cached version of the mailed template, rather than any published version. To circumvent users filling out a published form, an attacker could e-mail an alternate version of the form, which would return the data to the sender as part of a phishing attack and could be used to gain access to confidential information.

Description

By default, InfoPath 2007 caches form templates when they are attached to a mail item that is recognized as an InfoPath e-mail form. When users fill out forms that open with a restricted security level, InfoPath uses the cached version of the mailed template, rather than any published version. To circumvent users filling out a published form, an attacker could e-mail an alternate version of the form, which would return the data to the sender as part of a phishing attack and could be used to gain access to confidential information.

STIG	Date
Microsoft InfoPath 2013 STIG	2016-10-28

Details

Check Text ( None )
None

Fix Text (F-46302r1_fix)
Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> InfoPath e-mail forms "Disable dynamic caching of the form template in InfoPath e-mail forms" to "Enabled".