Details

Users can attach any type of file to forms except potentially unsafe files that might contain viruses, such as .bat or .exe files. For the full list of file types that InfoPath disallows by default, see ‘Security Details’ in Insert a file attachment control on the Microsoft Office Online Web site.

If unsafe file types are added to InfoPath forms, they might be used as a means of attacking the computer on which the form is opened. These unsafe file types may include active content, or may introduce other vulnerabilities that an attacker can exploit.

Solution

Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> Security -> ‘Prevent users from allowing unsafe file types to be attached to forms’ to ‘Enabled’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_InfoPath_2010_V1R11_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-18(4)
• CAT|II
• CCI|CCI-001170
• Rule-ID|SV-33668r1_rule
• STIG-ID|DTOO160
• Vuln-ID|V-17764

Source

• Tenable.com/audits