|
|
|
|
| |
Credit:
The information has been provided by Sean Larsson.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=841
|
| |
Vulnerable Systems:
* PowerPoint 2000 SP3
* PowerPoint 2002 (XP) SP3
* PowerPoint 2003 SP3
Immune Systems:
* PowerPoint 2007
* PowerPoint 2007 SP1
The vulnerability occurs during the parsing of two related PowerPoint record types. The first record type, the "LinkedSlideAtom" record, is used to specify collaboration information for different slides. One of the fields in this record is used to specify the number of certain records that are present in the file. The code responsible for filling the array used to store the records does not perform any bounds checking when storing elements into the array. This results in a heap-based buffer overflow vulnerability.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. If the targeted user is running PowerPoint 2000, and the "Office Document Open Confirmation Tool" is not installed, then it is possible to exploit this vulnerability directly through the browser.
Patch Availability:
Microsoft Corp. has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the following URL:
http://www.microsoft.com/technet/security/Bulletin/MS10-004.mspx
CVE Information:
CVE-2010-0030
Disclosure Timeline:
07/08/2009 Initial Vendor Notification
07/08/2009 Initial Vendor Reply
02/09/2010 Coordinated Public Disclosure
|
|
|
|
|
