Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017)
8 Jul. 2009
Summary
Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s PowerPoint could allow an attacker to execute arbitrary code with the privileges of the current user.
Vulnerable Systems:
* Microsoft PowerPoint 2000 SP3
* Microsoft PowerPoint XP SP3
Immune Systems:
* Microsoft PowerPoint 2007
* Microsoft PowerPoint 2007 SP1
* Microsoft 2003 SP2
* Microsoft 2003 SP3
In particular, there is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file.
Workaround:
Use the cacls program to deny access to the DLL containing the vulnerable code, PP4X32.DLL. This will prevent the vulnerable DLL from loading in PowerPoint, which will also prevent users from importing PowerPoint 4.0 files. If Office 2003 SP3 is being used, then the default behavior is to block the opening of PowerPoint 4.0 files. If the default behavior has been changed, restoring it is an effective workaround.
