A number of people have reported problems using the ActiveX print control in the report viewer after installing Microsoft Update 956391. Specifically, users receive the error "Unable to load client print control" when clicking on the print icon in the report viewer toolbar. I would like to explain what is happening, why we did it, and how to fix the problems that you or your customers are experiencing.
What’s a Kill Bit?
Let’s start with what Microsoft Update 956391 actually does. This update includes a kill bit for the ActiveX client print control used by Reporting Services. This print control is distributed with a number of components, including SQL Server 2000, SQL Server 2005, and Visual Studio 2008. A kill bit is an instruction to Internet Explorer to prevent it from loading an ActiveX control. In this case, Internet Explorer has been told not to load the Reporting Services client print control. As a result, when attempting to do so, the report viewer fails and displays the "unable to load" error.
Setting the kill bit is typically done only in extreme cases, such as security vulnerabilities. That’s what happened in this case. The security vulnerability is not actually in the print control itself, but rather the GDI+ DLL that we ship with the print control. The details of that vulnerability are described in MS08-052. Even though we have patched the vulnerability, the kill bit is a defense in depth option to prevent malicious users from sending the Microsoft signed client print control and then exploiting the vulnerability. The kill bit prevents the client print control from loading regardless of where it comes from.
Which Client Print Controls are Affected?
The client print controls that shipped with SQL Server 2000, SQL Server 2005, Visual Studio 2008, and the Report Viewer 2008 redistributable all use the same CLSID and are therefore all disabled by the update. The table below shows the different CLSIDs that are used by the different versions of Reporting Services:
The previously shipped versions (using the first CLSID in the table) have been updated with a new version of GDI+ and a new CLSID to allow IE to load the control. If you are using Report Server 2000, Report Server 2005, or the web control from VS 2008 in local mode, you will need to download an update so that your servers distribute the new print control.
Notice that SQL Server 2008 is not affected by this update and uses a different CLSID. The print control that ships with SQL Server 2008 does not include the GDI+ DLL. This DLL was included in earlier versions due to the requirement that they work on Windows 98 and Windows 2000. But with that requirement dropped from SQL Server 2008, we no longer need to ship GDI+. The new CLSID for SQL Server 2008 prevents Internet Explorer from replacing a working client print control on Windows 98 or 2000 with the newer version that does not work on that operating system.
Which Report Viewers are Affected?
Now that we’ve established which print controls are affected, we also need to talk about the report viewer control itself. Even though the ReportViewer control in Visual Studio 2005 does not ship a print control, it still needs to be updated. To understand why, let’s take a look at the HTML that is sent to the browser when you click on the print button:
<OBJECT ID="RSClientPrint" CLASSID="CLSID:FA91DF8D-53AB-455D-AB20-F2F023E498D3" CODEBASE="/ReportServer/Reserved.ReportViewerWebControl.axd?<report specific values>&OpType=PrintCab#Version=2005,090,3042,00" VIEWASTEXT></OBJECT>
The object tag specifically references the disabled CLSID. Even though an updated report server will return a new client print control, the ReportViewer web control still generates the old CLSID. In hindsight, it would have been better for the Report Server to expose the CLSID for its client print control and for the ReportViewer ASP.Net control to use that when generating its HTML. But those products have already shipped. So we have also updated all versions of the ReportViewer (including the ReportViewer Web Part for use in SharePoint integrated mode) to write out the new CLSID.
We also support using the client print control directly in your application without a ReportViewer control. If you do that, you will need to update it to write out the new CLSID as well.
What do you need to download?
To get to a working state, you will need to do the following:
Below is a list of available updates (also available from MS08-052):
SQL Server 2000: http://www.microsoft.com/downloads/details.aspx?familyid=5F9E7F78-7439-414B-A9DC-A779B89427DB
SQL Server 2005: http://www.microsoft.com/downloads/details.aspx?familyid=5148B887-F323-4ADB-9721-61E1C0CFD213
Visual Studio 2005: http://www.microsoft.com/downloads/details.aspx?familyid=A7BF790B-3249-4EE8-9440-FA911EBBC08A
Visual Studio 2008: http://www.microsoft.com/downloads/details.aspx?familyid=A8C80B29-6D00-4949-A005-5D706122919A
Report Viewer 2005 Redistributable: http://www.microsoft.com/downloads/details.aspx?familyid=82833F27-081D-4B72-83EF-2836360A904D
Report Viewer 2008 Redistributable: http://www.microsoft.com/downloads/details.aspx?familyid=6AE0AA19-3E6C-474C-9D57-05B2347456B1
Reporting Services SharePoint Add-In: http://www.microsoft.com/downloads/details.aspx?FamilyID=1e53f882-0c16-4847-b331-132274ae8c84&displaylang=en