|
|
|
|
| |
Credit:
The information has been provided by Sean Larsson.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=794
|
| |
Vulnerable Systems:
* Microsoft PowerPoint 2000 SP3
* Microsoft PowerPoint 2002 (XP) SP3
* Microsoft PowerPoint 2003 SP2
* Microsoft PowerPoint 2003 SP3
Immune Systems:
* Microsoft PowerPoint 2007
* Microsoft PowerPoint 2007 SP1
* Microsoft PowerPoint Viewer 2003
The vulnerability occurs when parsing the Notes container inside of the PowerPoint Document stream. This container is used to hold records related to notes that appear on the slides. By inserting a value into a container, it is possible to trigger a memory corruption vulnerability.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. If the targeted user is running PowerPoint 2000, and the "Office Document Open Confirmation Tool" is not installed, then it is possible to exploit this vulnerability directly through the browser.
Due to the nature of the vulnerability, relatively precise control of the process memory layout is needed to successfully exploit this vulnerability. iDefense Labs has developed exploit code that successfully exploits this vulnerability.
Patch Availability:
Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL:
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
CVE Information:
CVE-2009-1130
Disclosure Timeline:
10/22/2008 - Initial Contact
10/22/2008 - Initial Vendor Response
10/22/2008 - PoC Requested
11/05/2008 - PoC Sent
11/05/2008 - Vendor Case Number Assigned
11/07/2008 - Vendor Status Update
02/19/2009 - Vendor Status Update
05/12/2009 - Coordinated Public Disclosure
|
|
|
|
|
