Content
(MS09-017) Microsoft PowerPoint Memory Corruption Vulnerability II (967340)
- Type
- Logic error
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Maliciously Crafted File
- Rating
- Medium
- CVE reference
- CVE-2009-0556,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Powerpoint 2003 SP3,
- Office 2004 Mac,
- Powerpoint 2000 SP3,
- Powerpoint 2002 SP3,
- Summary
- A vulnerability in Microsoft Office PowerPoint (Windows) and Office 2004 (Mac) may allow for remote code execution.
Tab Navigation
Description
A vulnerability in Microsoft Office PowerPoint (Windows) and Office 2004 (Mac) may allow for remote code execution. The flaw is specific the parsing of PPT file data. When reading a PPT into an atom (TextHeaderAtom), the program initializes certain values which includes an object which is later passed to other parts of the routine code. The routine which is responsible for parsing the OutlineTextRefAtom will delete this object. When the deleted object is again referred to, a crash will occur.
McAfee Product Mitigation & Recommendations
Recommendations
The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
McAfee Product Mitigation
McAfee Foundstone
- Signature:
- Microsoft Office PowerPoint PPT Parsing Code Execution Vulnerability
- Signature identifier:
- 6583
- Release date:
- 4/2/2009
McAfee Intrushield
- Signature:
- HTTP: Microsoft Office PowerPoint Parsing Code Execution Vulnerability
- Signature identifier:
- 0x4025C500
- Release date:
- 4/2/2009
- First released in:
- 5.1.16, 4.1.46
McAfee Host IPS
Generic buffer overflow is expected to cover code execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 4/2/2009
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Generic buffer overflow is expected to cover code execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 4/2/2009
Generic buffer overflow is expected to cover code execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 4/2/2009
McAfee Anti-Virus protection
Coverage for known exploits is provided in the 5573 DAT files as Exploit-PPT.k Additional detection for new variants will be available in the 5614 DATs for the following products: SIG, SWG, GS, LS, VSE E-mail, VSO E-mail.
- Signature:
- DATs
- Signature identifier:
- 5573
- Release date:
- 4/3/2009
- First released in:
- Exploit-PPT.k
Additional Resources
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/969136.mspx
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
All Information
Timeline -
5/12/2009
Vendor has provided a patch.
4/2/2009
Vendor has provided information on the vulnerability.
Description -
A vulnerability in Microsoft Office PowerPoint (Windows) and Office 2004 (Mac) may allow for remote code execution. The flaw is specific the parsing of PPT file data. When reading a PPT into an atom (TextHeaderAtom), the program initializes certain values which includes an object which is later passed to other parts of the routine code. The routine which is responsible for parsing the OutlineTextRefAtom will delete this object. When the deleted object is again referred to, a crash will occur.
McAfee Product Mitigation & Recommendations
Recommendations -
The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
McAfee Product Mitigation
McAfee Foundstone
- Signature:
- Microsoft Office PowerPoint PPT Parsing Code Execution Vulnerability
- Signature identifier:
- 6583
- Release date:
- 4/2/2009
McAfee Intrushield
- Signature:
- HTTP: Microsoft Office PowerPoint Parsing Code Execution Vulnerability
- Signature identifier:
- 0x4025C500
- Release date:
- 4/2/2009
- First released in:
- 5.1.16, 4.1.46
McAfee Host IPS
Generic buffer overflow is expected to cover code execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 4/2/2009
McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection
Generic buffer overflow is expected to cover code execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 4/2/2009
Generic buffer overflow is expected to cover code execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 4/2/2009
McAfee Anti-Virus protection
Coverage for known exploits is provided in the 5573 DAT files as Exploit-PPT.k Additional detection for new variants will be available in the 5614 DATs for the following products: SIG, SWG, GS, LS, VSE E-mail, VSO E-mail.
- Signature:
- DATs
- Signature identifier:
- 5573
- Release date:
- 4/3/2009
- First released in:
- Exploit-PPT.k
Additional Resources
Additional Resources -
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/969136.mspx
Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
