Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Summary

A remote code execution vulnerability exists in Microsoft Visual Studio 2019 and Visual Studio 2017 if an XOML (Extensible Object Markup Language) file references certain types and causes random code to be run when the file is opened in Visual Studio.

There is now a restriction on which types are allowed to be used in .xoml files. If an .xoml file that contains one of the newly unauthorized types is opened, you receive an error message that states that the type is unauthorized.

To learn more about the vulnerability, go to CVE-2019-1113.

Workaround

If an opened .xoml file does not cause security issues, you can disable the process of checking for unauthorized types. To do this, add a key to the <appSettings> section of the devenv.exe.config file, as follows:

...
<appSettings>
<add key="microsoft:WorkflowComponentModel:DisableXOMLSerializerTypeChecking" value="true"/>
</appSettings>
...


This appSetting value completely disables type checking in the XOML (Extensible Object Markup Language) serializer. If the value is set to true, it takes precedence over the following new appSetting value for disallowing only specific types.

If you want only to disallow some specific types, you have to make the following changes to the devenv.exe.config file:

...
<appSettings>
<add key="microsoft:WorkflowComponentModel:DisableXOMLSerializerDefaultUnauthorizedTypes" value="true"/>
</appSettings>
...


This change allows all types that are unauthorized by default. To mark specific types as unauthorized, you also have to make the following changes to the devenv.exe.config file:

...
<configuration>
...
<configSections>
<sectionGroup name="System.Workflow.ComponentModel.WorkflowCompiler" type="System.Workflow.ComponentModel.Compiler.WorkflowCompilerConfigurationSectionGroup, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
<section name="authorizedTypes" type="System.Workflow.ComponentModel.Compiler.AuthorizedTypesSectionHandler, System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</sectionGroup>
</configSections>
...
<System.Workflow.ComponentModel.WorkflowCompiler>
<authorizedTypes>
<foo version="v4.0">
<authorizedType Assembly="System.Activities.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Activities.Presentation" TypeName="WorkflowDesigner" Authorized="false"/>
</foo>
</authorizedTypes>
</System.Workflow.ComponentModel.WorkflowCompiler>
...
</configuration>
...


These changes mark only the WorkflowDesigner type in the System.Activities.Presentation assembly as unauthorized, as follows:

  • Version: 4.0.0.0

  • Culture: neutral

  • PublicKeyToken: 31bf3856ad364e35

To mark other types as unauthorized, you can add similar entries for those types.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!

×