Microsoft sweeps up after breaking .NET with December security updates
XPS doc display issues fixed – until the next patch, at least
Microsoft this week rolled out fixes to issues caused by security updates released in December 2022 that botched how XPS documents are displayed in various versions of .NET and .NET Framework.
Some users who installed the security updates for those developer platforms saw problems with how Windows Presentation Foundation (WPF) applications rendered XPS documents. The out-of-band emergency fixes land after Microsoft issued two different workarounds.
"XPS documents which utilize structural or semantic elements like table structure, storyboards, or hyperlinks may not display correctly in WPF-based readers," the vendor wrote on the Window Health Dashboard page. "Additionally, some inline images may not display correctly, or Null reference exceptions might happen when XPS documents are loaded into WPF-based readers."
Microsoft listed the seven affected .NET versions in the dashboard notice.
The Windows maker initially outlined a compatibility workaround that included downloading a PowerShell script written to address the issue and running a command within a PowerShell prompt. A message would tell the user whether the command worked; if not, there was a procedure for removing the workaround.
A second workaround called for using a registry entry to disable the enhanced security operation, with Microsoft cautioning that the move "should only be done if you know for certain that all XPS documents your system processes are trustable, for example they are generated by your system, rather than uploaded to your system, and they cannot be changed by anyone."
Enterprises were warned not to turn off the security functionality if they took XPS documents from such untrusted sources as the internet or emails from external entities.
- Attackers abuse Microsoft's 'verified publisher' status to steal data
- Microsoft upgrades Defender to lock down Linux gear for its own good
- Microsoft Office 365 Cloud has a secret lining
- Gootloader malware updated with PowerShell, sneaky JavaScript
The PowerShell script in the first workaround addresses compatibility issues, so it won't disable the December security updates. However, with the registry workaround, the system is vulnerable to threats because it disables the WPF portion of the security fixes, which is the reason behind the warning about untrusted sources.
Micrsoft;'s hard pressed users can continue to use Windows' built-in XPS viewer application to safely view untrusted XPS documents.
And they can get the out-of-band update package through the Microsoft Update Catalog or manually import the fixes into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. The updates won't install automatically on the systems.
The updates released this week address the issue for some versions of .NET Framework and Microsoft said it is hoping to restore compatibility and fix the underlying security issue for the other affected versions in a later update.
The company also recommended that Windows administrators use the latest fixes and remove any of the earlier workaround. ®