|
|
|
|
| |
Credit:
The information has been provided by Marsu.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=788
|
| |
Vulnerable Systems:
* Microsoft PowerPoint 2000 SP3
* Microsoft PowerPoint XP SP3
Immune Systems:
* Microsoft PowerPoint 2007
* Microsoft PowerPoint 2007 SP1
* Microsoft 2003 SP2
* Microsoft 2003 SP3
In particular, there is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file.
Patch Availability:
Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
Workaround:
Use the cacls program to deny access to the DLL containing the vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from loading in PowerPoint, which will also prevent users from importing PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the default behavior is to block the opening of PowerPoint 4.0 files. If the default behavior has been changed, restoring it is an effective workaround.
CVE Information:
CVE-2009-0223
Disclosure Timeline:
02/24/2009 - Initial Contact
02/24/2009 - Initial Response
02/24/2009 - PoC Requested
03/05/2009 - PoC Sent
03/06/2009 - Vendor requests clarification - cannot reproduce
04/03/2009 - Vendor Case # 9037 set
04/23/2009 - Requested CVE from Vendor
04/23/2009 - Vendor set disclosure date of June 9
05/12/2009 - Coordinated Public Disclosure
|
|
|
|
|
