Security Considerations: Windows Image Acquisition

This document provides information about security considerations related to Windows Image Acquisition (WIA). This document doesn't provide all you need to know about security issues - instead, use it as a starting point and reference for this technology area.

Use quotation marks around path names

When using IWiaDevMgr::RegisterEventCallbackProgram to register an application to receive device events, be sure to surround the path and filename of the application with quotation marks. This avoids the possibility that the path is misinterpreted and an unauthorized application is run.

Place registered applications in secure locations

When an application is registered to receive a device event, that application can be run by any user that has access to that device. For example, if an application is registered for a scan event, pressing the "scan" button on a scanner will cause that application to run. If the application runs with a higher privilege than the user has, this causes a potential security issue.

Do not use underlying directories or registry keys

WIA uses several directories and registry keys internally to store data or information. Do not access these directories or registry keys directly. Instead, use the exposed interface methods to specify directories for acquired images.