FlowDocument (XPS) with Windows Update KB5020880 (CVE-2022-41089)

Asked 17/12, 2022 at 10:46 Answered 4/1, 2023 at 21:39

On 13. Dezember 2022 Microsoft made a Windows Update KB5020880 (CVE-2022-41089) for .NET 4.8.1 which should fix security problem on XPS.

Since then the FlowDocument, which will be rendered to XPS, will not show local images anymore. I do need local images, because I have to create and embed them dynamically.

<FlowDocument xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
              xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
              PageHeight="29.7cm" 
              PageWidth="21cm" >
    <Section Padding="40,0,20,0">
      <Paragraph>before image</Paragraph>
  
      <Paragraph FontSize="10" FontFamily="Verdana">
        <Image Source="c:/Test/MyImage.jpg" Margin="40,40,0,0" />
      </Paragraph>
  
      <Paragraph>after image</Paragraph>
    </Section>
</FlowDocument>

DocumentViewer shows the FlowDocument like this, as soon as it has been converted into an XpsDocument.

Does anyone has a solution for this?

Any help is very welcome.

Cheers, jaz

Vandavandal answered 17/12, 2022 at 10:46 Comment(1)

Here is a similar question: #74880085 – Glindaglinka 3/1, 2023 at 22:19

There is a github issue about this update. They wrote about an update with fix for this and we are waiting for it.

Horsepowerhour answered 4/1, 2023 at 21:39 Comment(0)

This behaviour seems to be related to a security fix for XPS introduced with the update you refer to. Microsoft provides a workaround document: https://support.microsoft.com/en-gb/topic/kb5022083-change-in-how-wpf-based-applications-render-xps-documents-a4ae4fa4-bc58-4c37-acdd-5eebc4e34556 The Alternate Workaround worked for me, however it will make systems susceptible again for the security issues fixed with the update.

Dube answered 19/12, 2022 at 18:54 Comment(5)

Unfortunately, we can not use the security workaround as customers install our software on their own machines ... and the last thing we want to do is make them vulnerable to a security issue. – Glindaglinka 3/1, 2023 at 22:10

We also tried the PowerShell script that Microsoft provides in that knowledge base article. The PowerShell script adds several string values to the registry under the key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes. This did not fix the issue. – Glindaglinka 3/1, 2023 at 22:15

I ran this: reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64 And our images reappeared in the Flowdocument (used for print and print preview) However, this is NOT good enough as a solution - if the included Windows XPS Viewer is not affected by this issue, then please tell me how that has been implemented ?? – Doubleheader 4/1, 2023 at 17:5

Yes @sergeantKK, that is exactly the security workaround that we do not want to use ... as it simply disables the security fix. – Glindaglinka 4/1, 2023 at 18:59

Unfortunately these registry entries did not work for us. Images stay invisible. – Vandavandal 11/1, 2023 at 16:49

We are running into a similar problem. This doesn't work for everyone, but if you can switch from FlowDocument to FixedDocument, that can solve the problem also. FixedDocument doesn't seem to be affected by this latest MS security change. Perhaps it is the "flowing/resizing" part that was insecure.

Scavenge answered 4/1, 2023 at 19:23 Comment(5)

I am not having a problem with FixedDocument either but I am with our dynamic report generator which uses flow document. However even using FixedDocument the preview does not work (saving as a PDF does) I wonder is this is because we are using documentPaginator in the preview method. – Sivie 9/1, 2023 at 16:50

I am awarding the bounty to this answer because I was able to use a FixedDocument approach to getting around the issue. I want to note two other things as well. First, our printing implementation did not utilize a FlowDocument ... it used a XpsDocument and writing Visual(s) using System.Windows.Xps.VisualsToXpsDocument class (accessed by CreateVisualsCollator off of the XpsDocumentWriter). – Glindaglinka 9/1, 2023 at 17:32

The second thing I want to note is that Microsoft is currently working on a fix. See the link in @martindsa's answer for more information. – Glindaglinka 9/1, 2023 at 17:33

Our report renderer creates FixedDocument from FlowDocuments. Same problem, images stay invisible in FixedDocuments. – Vandavandal 11/1, 2023 at 16:51

Hopefully you're not calling XpsDocument.GetFixedDocumentSequence. That call definitely causes the issue. I think the real issue with FlowDocument is with the Paginator. If you avoid those 2 things, I'm surprised your FixedDocument won't show images. – Scavenge 11/1, 2023 at 22:8

Recommended topics

Hot tags