Status Tracking Note JVNTR-2009-09

Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution (TA09-132A)

Overview

Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file.
Event Information

Date (UTC)Description
2009-06-09 Microsoft
MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution
Bulletin rereleased to provide security update packages for Mac, and Microsoft Works.
2009-05-22 Secunia Research
2009-29: Microsoft PowerPoint Freelance Layout Parsing Vulnerability
Microsoft PowerPoint Freelance Translator vulnerability (CVE-2009-0202)
Vulnerability Reported
2009-05-13 03:15 JPCERT/CC
JPCERT-AT-2009-0008:
2009-05-12 23:04 Microsoft
ms09-may: Microsoft Security Bulletin Summary for May 2009
Included in this advisory are updates for newly discovered vulnerabilities.
2009-05-12 22:06 US-CERT
TA09-132A: Microsoft PowerPoint Multiple Vulnerabilities
Via US-CERT Mailing List
2009-05-12 19:12 Microsoft
Microsoft Security Advisory (969136): Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
Memory Corruption Vulnerability (MS09-017, CVE-2009-0556)
Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-017 to address this issue.
2009-05-12 17:50 SANS Internet Storm Center
May Black Tuesday Overview
Overview of the May 2009 Microsoft patches and their status.
2009-05-12 17:35 US-CERT
Microsoft Releases May Security Bulletin
US-CERT Current Activity
Microsoft has released an update to address a vulnerability in Microsoft Office as part of the Microsoft Security Bulletin Summary for May 2009. By convincing a user to open a specially crafted PowerPoint file, an attacker may be able to execute arbitrary code.
2009-05-12 17:29 Symantec
ThreatCON (1) => (2)
The ThreatCon is at Level 2. Microsoft has released a Security Bulletin to address a total of 14 vulnerabilities affecting several versions of Microsoft PowerPoint.
2009-05-08 04:46 Microsoft
ms09-may: Microsoft Security Bulletin Advance Notification for May 2009
Included in this advisory are updates for newly discovered vulnerabilities.
2009-04-03 12:47 US-CERT
Microsoft Releases Security Advisory 969136
US-CERT Current Activity
Microsoft has released security advisory 969136 to address reports of a vulnerability in Microsoft Office PowerPoint. By convincing a user to open a specially crafted Office file, a remote attacker may be able to gain access to the affected system with the same rights as the user running PowerPoint.
2009-04-03 IBM Internet Security Systems
Microsoft PowerPoint Remote Code Execution Vulnerability
Microsoft Office PowerPoint could allow a remote attacker to execute arbitrary code on the system, caused by an unspecified error when handling .ppt files. There are confirmed reports of targeted exploitation.
2009-04-03 Trend Micro
TROJ_PPDROP.AB
Exploiting PowerPoint Vulnerability (CVE-2009-0556)
2009-04-03 Symantec
Trojan.PPDropper.H
Exploiting PowerPoint Vulnerability (CVE-2009-0556)
2009-04-02 23:57 Symantec
ThreatCON (1) => (2)
On April 2, 2009, Microsoft released a security advisory that addresses a remote code-execution vulnerability in Microsoft Office PowerPoint. Limited and targeted attacks using this vulnerability have been reported.
2009-04-02 23:11 Microsoft
Microsoft Security Advisory (969136): Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
Advisory published.
Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability.
2009-02-24 iDefense
Microsoft PowerPoint 4.2 Conversion Filter Heap Corruption Vulnerability
Legacy File Format Vulnerability (MS09-017, CVE-2009-0223)
Vulnerability Reported
There is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code.
2008-12-03 iDefense
Microsoft PowerPoint 4.2 Conversion Filter Stack Buffer Overflow Vulnerability
Legacy File Format Vulnerability (MS09-017, CVE-2009-0227)
Vulnerability Reported
There is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code.
2008-12-03 iDefense
Microsoft PowerPoint 4.2 Conversion Filter Stack Overflow
Legacy File Format Vulnerability (MS09-017, CVE-2009-0226)
Vulnerability Reported
There is code that parses a string in the PowerPoint file. If the size of this data is greater than a certain value, then memory corruption will occur. This memory corruption can lead to the vulnerable code executing an attacker supplied address.
2008-10-22 iDefense
Microsoft PowerPoint Notes Container Heap Corruption Vulnerability
Heap Corruption Vulnerability (MS09-017, CVE-2009-1130)
Vulnerability Reported
The vulnerability occurs when parsing the Notes container inside of the PowerPoint Document stream. This container is used to hold records related to notes that appear on the slides. By inserting a value into a container, it is possible to trigger a memory corruption vulnerability.
2008-10-22 iDefense
Microsoft PowerPoint Notes Container Heap Corruption Vulnerability
Heap Corruption Vulnerability (MS09-017, CVE-2009-1130)
Vulnerability Reported
The vulnerability occurs when parsing the Notes container inside of the PowerPoint Document stream. This container is used to hold records related to notes that appear on the slides. By inserting a value into a container, it is possible to trigger a memory corruption vulnerability.
2008-10-06 iDefense
Microsoft PowerPoint Build List Memory Corruption Vulnerability
Memory Corruption Vulnerability (MS09-017, CVE-2009-0224)
Vulnerability Reported
The vulnerability occurs during the parsing of the BuildList record. This record is a container for other records that describe charts and diagrams in the PowerPoint file. By inserting multiple BuildList records with ChartBuild containers inside of them, it is possible to trigger a memory corruption vulnerability during the parsing of the ChartBuild container's contents. This allows an attacker to control an object pointer, which can lead to attacker supplied function pointers being dereferenced.
2008-09-03 iDefense
Microsoft PowerPoint Integer Overflow Vulnerability
Integer Overflow Vulnerability (MS09-017, CVE-2009-0221)
Vulnerability Reported
The vulnerability occurs during the parsing of two related PowerPoint record types. The first record type is used to specify collaboration information for different slides. One of the fields in this record contains a 32-bit integer that is used to specify the number of a specific type of records that are present in the file. This integer is used in a multiplication operation that calculates the size of a heap buffer that will be used to store the records as they are read in from the file. The calculation can overflow, resulting in an undersized heap buffer being allocated. By providing a large value for the record count, and inserting enough dummy records, it is possible to trigger a heap based buffer overflow.
2008-08-29 iDefense
Microsoft PowerPoint PPT 4.0 Importer Multiple Stack Buffer Overflow Vulnerabilities
Legacy File Format Vulnerability (MS09-017, CVE-2009-0220)
Vulnerability Reported
The first vulnerability occurs when reading in a record header from the file. Due to an incorrect buffer size calculation, it is possible to overflow a stack-based buffer. Proper exploitation of this eventually leads to control of the instruction pointer register, allowing for the execution of arbitrary code. The second vulnerability occurs when reading in record data from the file. An integer is taken from the file, and used to control the number of bytes to copy into a fixed size stack buffer. This leads to a trivially exploitable stack-based buffer overflow.
2008-06-25 Zero Day Initiative (ZDI)
ZDI-09-020: Microsoft Office PowerPoint Notes Container Heap Overflow Vulnerability
Heap Corruption Vulnerability (MS09-017, CVE-2009-1130)
Vulnerability Reported
The vulnerability exists within the parsing of certain structures inside a Notes container. During population of a C++ object when reading the Notes container, Powerpoint incorrectly reads more data than was allocated for overwriting a function pointer for the object which is later used in a call from mso.dll. Successful exploitation can lead to remote code execution under the credentials of the currently logged in user.
2008-06-16 iDefense
Microsoft PowerPoint PPT95 Import Multiple Stack Buffer Overflow Vulnerabilities
Heap Corruption Vulnerability (MS09-017, CVE-2009-1128)
Vulnerability Reported
The first vulnerability occurs when reading data that describes a sound object embedded in the file. A record length value is read in from the file. This value is then used to control how many bytes are stored in a fixed size stack buffer. There is no check performed to ensure that the buffer can hold the number of bytes specified. This can lead to a stack buffer overflow. The second vulnerability occurs when reading in record name strings from the file. A string from the file is copied into a fixed size stack buffer without verifying that the destination buffer is large enough to hold the string. This results in a stack buffer overflow.
2008-04-25 iDefense
Microsoft PowerPoint PPT95 Import Multiple Stack Buffer Overflow Vulnerabilities
Heap Corruption Vulnerability (MS09-017, CVE-2009-1129)
Vulnerability Reported
The vulnerabilities occur when reading sound data from a PowerPoint file. In both cases, a value representing a record length is read in from the file. This value is then used to control the number of bytes read into a fixed size stack buffer. There is no check performed to ensure that the buffer can hold the number of bytes specified, which results in a stack buffer overflow.
2008-04-07 Zero Day Initiative (ZDI)
ZDI-09-019: Microsoft Office PowerPoint OutlineTextRefAtom Parsing Memory Corruption Vulnerability
Memory Corruption Vulnerability (MS09-017, CVE-2009-0556)
Vulnerability Reported
The specific flaw exists in the parsing of the OutlineTextRefAtom (3998). By specifying an invalid "index" value during parsing memory corruption occurs. Proper exploitation can lead to remote code execution under the credentials of the currently logged in user.

Reference

Date first published (UTC): 2009-04-08T23:51+00:00
Date last updated (UTC): 2009-06-12T00:04+00:00
Valid HTML 4.01!