Microsoft PowerPoint Notes Container Heap Corruption Vulnerability (MS09-017)
10 Jul. 2009
Summary
Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s PowerPoint could allow an attacker to execute arbitrary code with the privileges of the current user.
Vulnerable Systems:
* Microsoft PowerPoint 2000 SP3
* Microsoft PowerPoint 2002 (XP) SP3
* Microsoft PowerPoint 2003 SP2
* Microsoft PowerPoint 2003 SP3
Immune Systems:
* Microsoft PowerPoint 2007
* Microsoft PowerPoint 2007 SP1
* Microsoft PowerPoint Viewer 2003
The vulnerability occurs when parsing the Notes container inside of the PowerPoint Document stream. This container is used to hold records related to notes that appear on the slides. By inserting a value into a container, it is possible to trigger a memory corruption vulnerability.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. If the targeted user is running PowerPoint 2000, and the "Office Document Open Confirmation Tool" is not installed, then it is possible to exploit this vulnerability directly through the browser.
Due to the nature of the vulnerability, relatively precise control of the process memory layout is needed to successfully exploit this vulnerability. iDefense Labs has developed exploit code that successfully exploits this vulnerability.
