|
|
|
|
| |
Credit:
The information has been provided by Sean Larsson.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=842
|
| |
Vulnerable Systems:
* PowerPoint 2000 SP3
* PowerPoint 2002 (XP) SP3
* PowerPoint 2003 SP3
Immune Systems:
* PowerPoint 2007
* PowerPoint 2007 SP1
This vulnerability occurs when parsing an "OEPlaceholderAtom" record. This record type is used to create a placeholder for an object (picture, text, etc.) on a slide. By providing a value greater than the size of an array, it is possible to corrupt stack memory beyond the bounds of the array with a fixed value. By overwriting critical structures like the saved return address, it is possible to execute arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. If the targeted user is running PowerPoint 2000, and the "Office Document Open Confirmation Tool" is not installed, then it is possible to exploit this vulnerability directly through the browser.
Patch Availability:
Microsoft Corp. has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the following URL:
http://www.microsoft.com/technet/security/Bulletin/MS10-004.mspx
CVE Information:
CVE-2010-0031
Disclosure Timeline:
07/08/2009 Initial Vendor Notification
07/08/2009 Initial Vendor Reply
02/09/2010 Coordinated Public Disclosure
|
|
|
|
|
