Remote code execution vulnerability if certain types are specified in XOML file

Vrijedi za: Visual Studio 2019Visual Studio 2017

Summary


A remote code execution vulnerability exists in Microsoft Visual Studio 2019 and Visual Studio 2017 if an XOML (Extensible Object Markup Language) file references certain types and causes random code to be run when the file is opened in Visual Studio.

There is now a restriction on which types are allowed to be used in .xoml files. If an .xoml file that contains one of the newly unauthorized types is opened, you receive an error message that states that the type is unauthorized.

To learn more about the vulnerability, go to CVE-2019-1113.

Workaround


If an opened .xoml file does not cause security issues, you can disable the process of checking for unauthorized types. To do this, add a key to the <appSettings> section of the devenv.exe.config file, as follows:

...<appSettings><add key="microsoft:WorkflowComponentModel:DisableXOMLSerializerTypeChecking" value="true"/></appSettings>...


This appSetting value completely disables type checking in the XOML (Extensible Object Markup Language) serializer. If the value is set to true, it takes precedence over the following new appSetting value for disallowing only specific types.

If you want only to disallow some specific types, you have to make the following changes to the devenv.exe.config file:

...<appSettings><add key="microsoft:WorkflowComponentModel:DisableXOMLSerializerDefaultUnauthorizedTypes" value="true"/></appSettings>...


This change allows all types that are unauthorized by default. To mark specific types as unauthorized, you also have to make the following changes to the devenv.exe.config file:

...<configuration>...<configSections><sectionGroup name="System.Workflow.ComponentModel.WorkflowCompiler" type="System.Workflow.ComponentModel.Compiler.WorkflowCompilerConfigurationSectionGroup, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><section name="authorizedTypes" type="System.Workflow.ComponentModel.Compiler.AuthorizedTypesSectionHandler, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/></sectionGroup></configSections>...<System.Workflow.ComponentModel.WorkflowCompiler><authorizedTypes><foo version="v4.0"><authorizedType Assembly="System.Activities.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Activities.Presentation" TypeName="WorkflowDesigner" Authorized="false"/></foo></authorizedTypes></System.Workflow.ComponentModel.WorkflowCompiler>...</configuration>...


These changes mark only the WorkflowDesigner type in the System.Activities.Presentation assembly as unauthorized, as follows:

  • Version: 4.0.0.0
  • Culture: neutral
  • PublicKeyToken: 31bf3856ad364e35

To mark other types as unauthorized, you can add similar entries for those types.