Main Menu

Powerpoint is the flavour of the month of May

Written by Editor on May 13, 2009

So yesterday Microsoft released patches for a mammoth 14 security vulnerabilities for just one product, Microsoft PowerPoint.

The security vulnerabilities are all included in update MS09-017, the only update released this month. The update includes fixes for various publicly and privately disclosed security vulnerabilities within PowerPoint many of which could be used for remote exploitation should a user open a specially crafted PowerPoint presentation. The security bulletin and fixes address the 14 issues across the following versions of Microsoft PowerPoint to varying degrees:

  • Office PowerPoint 2000 Service Pack 3
  • Office PowerPoint 2002 Service Pack 3
  • Office PowerPoint 2003 Service Pack 3
  • Office PowerPoint 2007 Service Pack 1
  • Office PowerPoint 2007 Service Pack 2
  • Office 2004 for Mac
  • Office 2008 for Mac
  • Office PowerPoint Viewer 2003 Service Pack 3
  • Office PowerPoint Viewer
  • Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
  • Microsoft Works 8.5
  • Microsoft Works 9.0

Nine of the vulnerabilities affect PowerPoint legacy file support. Legacy files include documents saved as PowerPoint 95 and PowerPoint 4 format. Poor sanity checking on file objects when handling these legacy files leads to memory corruption, and consequently remote code execution.

Three other memory-corruption vulnerabilities are addressed. One of these issues is triggered by a malformed index value. This issue is already public and being exploited in the wild.

Additionally an integer-overflow vulnerability was addressed in MS09-017. This issue can be triggered when a specially crafted PowerPoint document is opened. A lack of sanity checking for a size field in a document object can lead to memory corruption and remote code execution. Finally, an out-of-bounds memory access vulnerability, where PowerPoint when handling a specially crafted could trigger memory corruption and remote code execution.

This one bulletin is rated as Critical and as such it is recommended that the patch is installed as soon as possible, not only that but atleast one of the issues addressed in the patch is being exploited in the wild.