Published: 2009-04-08T23:51+00:00
Last Updated: 2009-06-12T00:04+00:00
JVNTR-2009-09
Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution (TA09-132A)
Overview
Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file.
Event Information
| Date (UTC) | Description |
| 2009-06-09 |
Microsoft MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution Bulletin rereleased to provide security update packages for Mac, and Microsoft Works. |
| 2009-05-22 |
Secunia Research 2009-29: Microsoft PowerPoint Freelance Layout Parsing Vulnerability Microsoft PowerPoint Freelance Translator vulnerability (CVE-2009-0202) Vulnerability Reported |
| 2009-05-13 03:15 |
JPCERT/CC JPCERT-AT-2009-0008: |
| 2009-05-12 23:04 |
Microsoft ms09-may: Microsoft Security Bulletin Summary for May 2009 Included in this advisory are updates for newly discovered vulnerabilities. |
| 2009-05-12 22:06 |
US-CERT TA09-132A: Microsoft PowerPoint Multiple Vulnerabilities Via US-CERT Mailing List |
| 2009-05-12 19:12 |
Microsoft Microsoft Security Advisory (969136): Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution Memory Corruption Vulnerability (MS09-017, CVE-2009-0556) Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS09-017 to address this issue. |
| 2009-05-12 17:50 |
SANS Internet Storm Center May Black Tuesday Overview Overview of the May 2009 Microsoft patches and their status. |
| 2009-05-12 17:35 |
US-CERT Microsoft Releases May Security Bulletin US-CERT Current Activity Microsoft has released an update to address a vulnerability in Microsoft Office as part of the Microsoft Security Bulletin Summary for May 2009. By convincing a user to open a specially crafted PowerPoint file, an attacker may be able to execute arbitrary code. |
| 2009-05-12 17:29 |
Symantec ThreatCON (1) => (2) The ThreatCon is at Level 2. Microsoft has released a Security Bulletin to address a total of 14 vulnerabilities affecting several versions of Microsoft PowerPoint. |
| 2009-05-08 04:46 |
Microsoft ms09-may: Microsoft Security Bulletin Advance Notification for May 2009 Included in this advisory are updates for newly discovered vulnerabilities. |
| 2009-04-03 12:47 |
US-CERT Microsoft Releases Security Advisory 969136 US-CERT Current Activity Microsoft has released security advisory 969136 to address reports of a vulnerability in Microsoft Office PowerPoint. By convincing a user to open a specially crafted Office file, a remote attacker may be able to gain access to the affected system with the same rights as the user running PowerPoint. |
| 2009-04-03 |
IBM Internet Security Systems Microsoft PowerPoint Remote Code Execution Vulnerability Microsoft Office PowerPoint could allow a remote attacker to execute arbitrary code on the system, caused by an unspecified error when handling .ppt files. There are confirmed reports of targeted exploitation. |
| 2009-04-03 |
Trend Micro TROJ_PPDROP.AB Exploiting PowerPoint Vulnerability (CVE-2009-0556) |
| 2009-04-03 |
Symantec Trojan.PPDropper.H Exploiting PowerPoint Vulnerability (CVE-2009-0556) |
| 2009-04-02 23:57 |
Symantec ThreatCON (1) => (2) On April 2, 2009, Microsoft released a security advisory that addresses a remote code-execution vulnerability in Microsoft Office PowerPoint. Limited and targeted attacks using this vulnerability have been reported. |
| 2009-04-02 23:11 |
Microsoft Microsoft Security Advisory (969136): Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution Advisory published. Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. |
| 2009-02-24 |
iDefense Microsoft PowerPoint 4.2 Conversion Filter Heap Corruption Vulnerability Legacy File Format Vulnerability (MS09-017, CVE-2009-0223) Vulnerability Reported There is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code. |
| 2008-12-03 |
iDefense Microsoft PowerPoint 4.2 Conversion Filter Stack Buffer Overflow Vulnerability Legacy File Format Vulnerability (MS09-017, CVE-2009-0227) Vulnerability Reported There is code that parses structures in the PowerPoint file. If the number of these structures is greater than a certain value, then memory corruption will occur. This memory corruption leads to the executing of arbitrary code. |
| 2008-12-03 |
iDefense Microsoft PowerPoint 4.2 Conversion Filter Stack Overflow Legacy File Format Vulnerability (MS09-017, CVE-2009-0226) Vulnerability Reported There is code that parses a string in the PowerPoint file. If the size of this data is greater than a certain value, then memory corruption will occur. This memory corruption can lead to the vulnerable code executing an attacker supplied address. |
| 2008-10-22 |
iDefense Microsoft PowerPoint Notes Container Heap Corruption Vulnerability Heap Corruption Vulnerability (MS09-017, CVE-2009-1130) Vulnerability Reported The vulnerability occurs when parsing the Notes container inside of the PowerPoint Document stream. This container is used to hold records related to notes that appear on the slides. By inserting a value into a container, it is possible to trigger a memory corruption vulnerability. |
| 2008-10-22 |
iDefense Microsoft PowerPoint Notes Container Heap Corruption Vulnerability Heap Corruption Vulnerability (MS09-017, CVE-2009-1130) Vulnerability Reported The vulnerability occurs when parsing the Notes container inside of the PowerPoint Document stream. This container is used to hold records related to notes that appear on the slides. By inserting a value into a container, it is possible to trigger a memory corruption vulnerability. |
| 2008-10-06 |
iDefense Microsoft PowerPoint Build List Memory Corruption Vulnerability Memory Corruption Vulnerability (MS09-017, CVE-2009-0224) Vulnerability Reported The vulnerability occurs during the parsing of the BuildList record. This record is a container for other records that describe charts and diagrams in the PowerPoint file. By inserting multiple BuildList records with ChartBuild containers inside of them, it is possible to trigger a memory corruption vulnerability during the parsing of the ChartBuild container's contents. This allows an attacker to control an object pointer, which can lead to attacker supplied function pointers being dereferenced. |
| 2008-09-03 |
iDefense Microsoft PowerPoint Integer Overflow Vulnerability Integer Overflow Vulnerability (MS09-017, CVE-2009-0221) Vulnerability Reported The vulnerability occurs during the parsing of two related PowerPoint record types. The first record type is used to specify collaboration information for different slides. One of the fields in this record contains a 32-bit integer that is used to specify the number of a specific type of records that are present in the file. This integer is used in a multiplication operation that calculates the size of a heap buffer that will be used to store the records as they are read in from the file. The calculation can overflow, resulting in an undersized heap buffer being allocated. By providing a large value for the record count, and inserting enough dummy records, it is possible to trigger a heap based buffer overflow. |
| 2008-08-29 |
iDefense Microsoft PowerPoint PPT 4.0 Importer Multiple Stack Buffer Overflow Vulnerabilities Legacy File Format Vulnerability (MS09-017, CVE-2009-0220) Vulnerability Reported The first vulnerability occurs when reading in a record header from the file. Due to an incorrect buffer size calculation, it is possible to overflow a stack-based buffer. Proper exploitation of this eventually leads to control of the instruction pointer register, allowing for the execution of arbitrary code. The second vulnerability occurs when reading in record data from the file. An integer is taken from the file, and used to control the number of bytes to copy into a fixed size stack buffer. This leads to a trivially exploitable stack-based buffer overflow. |
| 2008-06-25 |
Zero Day Initiative (ZDI) ZDI-09-020: Microsoft Office PowerPoint Notes Container Heap Overflow Vulnerability Heap Corruption Vulnerability (MS09-017, CVE-2009-1130) Vulnerability Reported The vulnerability exists within the parsing of certain structures inside a Notes container. During population of a C++ object when reading the Notes container, Powerpoint incorrectly reads more data than was allocated for overwriting a function pointer for the object which is later used in a call from mso.dll. Successful exploitation can lead to remote code execution under the credentials of the currently logged in user. |
| 2008-06-16 |
iDefense Microsoft PowerPoint PPT95 Import Multiple Stack Buffer Overflow Vulnerabilities Heap Corruption Vulnerability (MS09-017, CVE-2009-1128) Vulnerability Reported The first vulnerability occurs when reading data that describes a sound object embedded in the file. A record length value is read in from the file. This value is then used to control how many bytes are stored in a fixed size stack buffer. There is no check performed to ensure that the buffer can hold the number of bytes specified. This can lead to a stack buffer overflow. The second vulnerability occurs when reading in record name strings from the file. A string from the file is copied into a fixed size stack buffer without verifying that the destination buffer is large enough to hold the string. This results in a stack buffer overflow. |
| 2008-04-25 |
iDefense Microsoft PowerPoint PPT95 Import Multiple Stack Buffer Overflow Vulnerabilities Heap Corruption Vulnerability (MS09-017, CVE-2009-1129) Vulnerability Reported The vulnerabilities occur when reading sound data from a PowerPoint file. In both cases, a value representing a record length is read in from the file. This value is then used to control the number of bytes read into a fixed size stack buffer. There is no check performed to ensure that the buffer can hold the number of bytes specified, which results in a stack buffer overflow. |
| 2008-04-07 |
Zero Day Initiative (ZDI) ZDI-09-019: Microsoft Office PowerPoint OutlineTextRefAtom Parsing Memory Corruption Vulnerability Memory Corruption Vulnerability (MS09-017, CVE-2009-0556) Vulnerability Reported The specific flaw exists in the parsing of the OutlineTextRefAtom (3998). By specifying an invalid "index" value during parsing memory corruption occurs. Proper exploitation can lead to remote code execution under the credentials of the currently logged in user. |