Do Not rely on Vector markup Language (VML) for displaying graphics in browsers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17773	DTOO180 - Office	SV-18983r1_rule	ECSC-1	Medium

Description
When saving documents as Web pages, Excel 2007, PowerPoint 2007, and Word 2007 can save vector–based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, 2007 Office applications also save copies of the graphics in a standard raster file format (GIF or PNG) for use by browsers that cannot display VML. If the Rely on VML for displaying graphics in browsers check box in the Web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers.

Description

When saving documents as Web pages, Excel 2007, PowerPoint 2007, and Word 2007 can save vector–based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, 2007 Office applications also save copies of the graphics in a standard raster file format (GIF or PNG) for use by browsers that cannot display VML. If the Rely on VML for displaying graphics in browsers check box in the Web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers.

STIG	Date
Microsoft Office System 2007	2015-10-02

Details

Check Text ( C-19036r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Rely on VML for displaying graphics in browsers” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet Criteria: If the value RelyOnVML is REG_DWORD = 0, this is not a finding.

Check Text ( C-19036r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Rely on VML for displaying graphics in browsers” will be set to “Disabled”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet

Criteria: If the value RelyOnVML is REG_DWORD = 0, this is not a finding.

Fix Text (F-17672r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Rely on VML for displaying graphics in browsers” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

Fix Text (F-17672r1_fix)

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Rely on VML for displaying graphics in browsers” will be set to “Disabled”.

"Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)."

"Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."