|
|
|
|
| |
Credit:
The information has been provided by Marsu.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=787
|
| |
Vulnerable Systems:
* Microsoft PowerPoint 2000 SP3
* Microsoft PowerPoint XP SP3
Immune Systems:
* Microsoft PowerPoint 2003 SP2 and SP3
* Microsoft PowerPoint 2007
* Microsoft PowerPoint 2007 SP1
In particular, there is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file.
Workaround:
Use the cacls program to deny access to the DLL containing the vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from loading in PowerPoint, which will also prevent users from importing PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the default behavior is to block the opening of PowerPoint 4.0 files. If the default behavior has been changed, restoring it is an effective workaround.
Patch Availability:
Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
CVE Information:
CVE-2009-0227
Disclosure Timeline:
12/03/2008 - Initial Contact
12/15/2008 - Clarification Requested
12/15/2008 - Clarification Sent
12/15/2008 - PoC Requested
12/15/2008 - PoC Sent
01/06/2009 - Vendor Case # 8820 set
01/20/2009 - Vendor set tentative disclosure date of 06/09/2009
05/12/2009 - Coordinated Public Disclosure
|
|
|
|
|
