Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2009-016 Updated

DATE(S) ISSUED:
4/3/2009
5/12/2009 - Updated

SUBJECT:
Vulnerability in Microsoft PowerPoint Could Allow for Remote Code Execution

UPDATED SUBJECT:
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (MS09-017)

ORIGINAL OVERVIEW:

A new vulnerability has been discovered in Microsoft PowerPoint, a slide presentation program. This vulnerability can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS file) received as an email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.

UPDATED OVERVIEW:
A security bulletin has been issued by Microsoft to address a total of 14 vulnerabilities including the issue highlighted in this advisory (2009-016).

SYSTEMS AFFECTED:

• Microsoft Office 2000 Service Pack 3
• Microsoft Office 2002 Service Pack 3
• Microsoft Office 2003 Service Pack 3
• Microsoft Office 2004 for Mac

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been identified in Microsoft PowerPoint that could allow remote code execution. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS) via email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. If Microsoft Office 2000 is being used, it will automatically open any Office documents, unless the Office Document Open Confirmation Tool for Office 2000 is installed. Microsoft Office 2003 or higher, by default will prompt the user to Open, Save, or Cancel when accessing Office files. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available. Microsoft is reporting that the malicious PowerPoint presentations are being detected as Exploit:Win32/Apptom.gen.

UPDATED DESCRIPTION:
A security bulletin has been issued by Microsoft to address a total of 14 vulnerabilities including the issue highlighted in this advisory (2009-016). These vulnerabilities consist of invalid sound file insertions, invalid record types, paragraph formatting complications and excessively large embedded data.

It should be noted that Microsoft has released a patch for these vulnerabilities.

Note: Some updates prevent PowerPoint 2000 & 2003 from opening PowerPoint 4.0 native file formats and/or modify the way PowerPoint 2000 and PowerPoint 2003 open PowerPoint 95 native file formats.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Consider follow Microsoft's suggested actions in their security advisory: http://www.microsoft.com/technet/security/advisory/969136.mspx
• Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865 ).
• Install the Office Document Open Confirmation Tool for Microsoft Office 2000
  ( http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en ).
• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Do not open email attachments from un-trusted sources.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Ensure that all anti-virus software is up to date with the latest signatures.
• Install the appropriate vendor patch as soon as it becomes available after appropriate testing.

UPDATED RECOMMENDATIONS:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/advisory/969136.mspx
http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/mmpc/
http://www.microsoft.com/security/portal/Entry.aspx?Name=Exploit%3aWin32%2fApptom.gen

Security Focus:
http://www.securityfocus.com/bid/34351

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556

UPDATED REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-017.mspx

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0220
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0221
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0222
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0223
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0225
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0226
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0227
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1128
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1129
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1130
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1131
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1137

Copyright © 2010 - Privacy Policy - Contact Us