Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Remote code execution vulnerability if certain types are specified in XOML file

Remote code execution vulnerability if certain types are specified in XOML file

View products that this article applies to.

Summary

A remote code execution vulnerability exists in Microsoft Visual Studio 2019 and Visual Studio 2017 if an XOML (Extensible Object Markup Language) file references certain types and causes random code to be run when the file is opened in Visual Studio.

There is now a restriction on which types are allowed to be used in .xoml files. If an .xoml file that contains one of the newly unauthorized types is opened, you receive an error message that states that the type is unauthorized.

To learn more about the vulnerability, go to CVE-2019-1113.

↑ Back to the top

Workaround

If an opened .xoml file does not cause security issues, you can disable the process of checking for unauthorized types. To do this, add a key to the <appSettings> section of the devenv.exe.config file, as follows:

...
<appSettings>
<add key="microsoft:WorkflowComponentModel:DisableXOMLSerializerTypeChecking" value="true"/>
</appSettings>
...


This appSetting value completely disables type checking in the XOML (Extensible Object Markup Language) serializer. If the value is set to true, it takes precedence over the following new appSetting value for disallowing only specific types.

If you want only to disallow some specific types, you have to make the following changes to the devenv.exe.config file:

...
<appSettings>
<add key="microsoft:WorkflowComponentModel:DisableXOMLSerializerDefaultUnauthorizedTypes" value="true"/>
</appSettings>
...


This change allows all types that are unauthorized by default. To mark specific types as unauthorized, you also have to make the following changes to the devenv.exe.config file:

...
<configuration>
...
<configSections>
<sectionGroup name="System.Workflow.ComponentModel.WorkflowCompiler" type="System.Workflow.ComponentModel.Compiler.WorkflowCompilerConfigurationSectionGroup, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<section name="authorizedTypes" type="System.Workflow.ComponentModel.Compiler.AuthorizedTypesSectionHandler, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</sectionGroup>
</configSections>
...
<System.Workflow.ComponentModel.WorkflowCompiler>
<authorizedTypes>
<foo version="v4.0">
<authorizedType Assembly="System.Activities.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Activities.Presentation" TypeName="WorkflowDesigner" Authorized="false"/>
</foo>
</authorizedTypes>
</System.Workflow.ComponentModel.WorkflowCompiler>
...
</configuration>
...


These changes mark only the WorkflowDesigner type in the System.Activities.Presentation assembly as unauthorized, as follows:

  • Version: 4.0.0.0
  • Culture: neutral
  • PublicKeyToken: 31bf3856ad364e35

To mark other types as unauthorized, you can add similar entries for those types.

↑ Back to the top

Keywords: kbsurveynew, kbsecvulnerability, kbsecurity, kbsecreview, kbsecbulletin, kblangall, kb, kbfix, kbexpertiseinter, kbbug, atdownload, kbmustloc

↑ Back to the top

Article Info
Article ID : 4512190
Revision : 14
Created on : 7/9/2019
Published on : 7/9/2019
Exists online : False
Views : 361