MS-ISAC ADVISORY NUMBER:
2009-016

DATE(S) ISSUED:
4/3/2009

SUBJECT:
Vulnerability in Microsoft PowerPoint Could Allow for Remote Code Execution

OVERVIEW:

A new vulnerability has been discovered in Microsoft PowerPoint, a slide presentation program. This vulnerability can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS file) received as an email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

There is no patch for this vulnerability available at this time.

SYSTEMS AFFECTED:

  • Microsoft Office 2000 Service Pack 3
  • Microsoft Office 2002 Service Pack 3
  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2004 for Mac

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been identified in Microsoft PowerPoint that could allow remote code execution. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS) via email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. If Microsoft Office 2000 is being used, it will automatically open any Office documents, unless the Office Document Open Confirmation Tool for Office 2000 is installed. Microsoft Office 2003 or higher, by default will prompt the user to Open, Save, or Cancel when accessing Office files. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available. Microsoft is reporting that the malicious PowerPoint presentations are being detected as Exploit:Win32/Apptom.gen.

There is no patch for this vulnerability available at this time.

RECOMMENDATIONS:
We recommend the following actions be taken:


REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/advisory/969136.mspx(New Window)
http://blogs.technet.com/msrc/default.aspx(New Window)
http://blogs.technet.com/mmpc/(New Window)
http://www.microsoft.com/security/portal/Entry.aspx?Name=Exploit%3aWin32%2fApptom.gen(New Window)

Security Focus:
http://www.securityfocus.com/bid/34351(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.