One of the documented known issues of the update is the enforcement of a graphics filter "Allow List". The graphics filter "Allow List" and its functionality should be documented in the Microsoft Knowledge Base KB2479871 article (link to article).
From what I understand of the KB2479871 article documentation, the MS10-105 update, modifies the way Office 2003, Office 2007, and Office 2010 handles graphics and seems to qualify graphics formats against a list of permissible formats (the "Allow List"). Only the Bitmap (.bmp), Encapsulated PostScript (.eps), Graphics Interchange Format (.gif), Joint Photographic Experts Group (.jpg, .jpeg), Macintosh PICT (.pict), and Portable Network Graphics (.png) formats should be defined to be permitted by default. The display or use of formats other graphics should not be permitted by Microsoft Office (various versions).
I tried testing the "Allow List" behavior in Microsoft Office 2003. Microsoft Office 2003 should support the TIFF format, but the TIFF format should not be defined to be allowed/permitted on the Allow List (inferred from the information in the KB2479871 article). To test the behavior of the Allow List, I performed the following procedure on a computer with Windows XP Professional with Service Pack 2 and Microsoft Office 2003 installed:
- Apply the MS10-105 update for Microsoft Office 2003 with SP3, KB2289163 ("office2003-KB2289163-FullFile-ENU.exe").
- Create TIFF image in Adobe Photoshop 7.0.1 import the image into a new Word document (".doc" type).
- Save and close the document.
- Open and examine the document using Microsoft Word.
During and after the procedure, I noticed that the TIFF image imported and displayed.
The expected result of the "Allow List" test was that the TIFF image would not display (and possibly not even import). However, the TIFF image, a format that should have not been permitted, displayed.
I have attached a copy of the document I created using the procedure above ("Image support test.doc"), as well as an archive ("Test_Image.zip") with the image used in the procedure ("Test_Image.tif").
Am I interpreting the function of the "Allow List" incorrectly? If so, what should the "Allow List" actually do?
Edited by Ascii2, 16 September 2011 - 08:28 PM.