Microsoft PowerPoint Viewer 2003 Out of Bounds Array Index Vulnerability
13 Aug. 2008
Summary
Microsoft Corp.'s PowerPoint Viewer is "a viewer for full-featured presentations created in PowerPoint 97 and later versions". Remote exploitation of an out of boundary array index vulnerability in Microsoft Corp.'s PowerPoint Viewer 2003 could allow an attacker to execute arbitrary code in the context of the user running the application.
Vulnerable Systems:
* pptview.exe file version 11.0.5703.0
Immune Systems:
* pptview.exe file version 11.0.6566.0 (as included in Microsoft Office 2003 SP2)
* pptview.exe file version 11.0.8164.0 (as included in Microsoft Office 2003 SP3)
This vulnerability specifically exists in PowerPoint Viewer 2003 when handling certain records in a PowerPoint presentation file. In some circumstances, an array index can be directly controlled by data from within the PowerPoint presentation file. Thus, a function pointer can be directly controlled by the attacker and leveraged for arbitrary code execution.
Analysis:
Exploitation allows an attacker to execute arbitrary code on the affected host in the context of the user who opened a malicious PPT presentation using Microsoft PowerPoint Viewer 2003.
Exploitation of this vulnerability would require an attacker to either host a malicious PowerPoint presentation file and use social engineering techniques to trick a user into visiting the site or to deliver the hostile code to a user via e-mail, for example. The user would then need to view the file using Microsoft's PowerPoint Viewer.
