FlowDocument (XPS) with Windows Update KB5020880 (CVE-2022-41089)

Question

On 13. Dezember 2022 Microsoft made a Windows Update KB5020880 (CVE-2022-41089) for .NET 4.8.1 which should fix security problem on XPS.

Since then the FlowDocument, which will be rendered to XPS, will not show local images anymore. I do need local images, because I have to create and embed them dynamically.

<FlowDocument xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
              xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
              PageHeight="29.7cm" 
              PageWidth="21cm" >
    <Section Padding="40,0,20,0">
      <Paragraph>before image</Paragraph>
  
      <Paragraph FontSize="10" FontFamily="Verdana">
        <Image Source="c:/Test/MyImage.jpg" Margin="40,40,0,0" />
      </Paragraph>
  
      <Paragraph>after image</Paragraph>
    </Section>
</FlowDocument>

DocumentViewer shows the FlowDocument like this, as soon as it has been converted into an XpsDocument.

Does anyone has a solution for this?

Any help is very welcome.

Cheers, jaz

Answer 1

This behaviour seems to be related to a security fix for XPS introduced with the update you refer to. Microsoft provides a workaround document: https://support.microsoft.com/en-gb/topic/kb5022083-change-in-how-wpf-based-applications-render-xps-documents-a4ae4fa4-bc58-4c37-acdd-5eebc4e34556 The Alternate Workaround worked for me, however it will make systems susceptible again for the security issues fixed with the update.

Answer 2

We are running into a similar problem. This doesn't work for everyone, but if you can switch from FlowDocument to FixedDocument, that can solve the problem also. FixedDocument doesn't seem to be affected by this latest MS security change. Perhaps it is the "flowing/resizing" part that was insecure.

Answer 3

There is a github issue about this update. They wrote about an update with fix for this and we are waiting for it.