HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2009-24
Multiple Vulnerabilities in Microsoft Office PowerPoint

Original issue date: May 13, 2009

Severity Rating: High

Affected Softwares

  • Microsoft Office Suites and Components
    • Microsoft Office 2000 Service Pack 3
    • Microsoft Office XP Service Pack 3
    • Microsoft Office 2003 Service Pack 3
    • 2007 Microsoft Office System Service Pack 1
    • 2007 Microsoft Office System Service Pack 2

  • Microsoft Office for Mac
    • Microsoft Office 2004 for Mac
    • Microsoft Office 2008 for Mac
    • Open XML File Format Converter for Mac

  • Other Office Software
    • PowerPoint Viewer 2003
    • PowerPoint Viewer 2007 Service Pack 1
    • PowerPoint Viewer 2007 Service Pack 2
    • Microsoft Office Compatibility Pack for Word, Excel, and
      PowerPoint 2007 File Formats Service Pack 1
    • Microsoft Office Compatibility Pack for Word, Excel, and
      PowerPoint 2007 File Formats Service Pack 2
    • Microsoft Works 8.5
    • Microsoft Works 9.0 s

Overview

Multiple vulnerabilities have been reported in Microsoft Office PowerPoint that could allow remote attacker to execute arbitrary code on affected systems to take complete control of affected systems, if a user opens a specially crafted PowerPoint file.

Description

1. Legacy File Format Vulnerability
    (CVE-2009-0220)

A remote code execution vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to improper processing of PowerPoint Version 4.0 documents. Microsoft Office PowerPoint uses pp4x332.dll to open Version 4.0 file types. A memory corruption could occur while processing a malformed legacy document.

2. Integer Overflow Vulnerability
    (CVE-2009-0221)

An integer overflow vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to insufficient validation of unspecified parameters. An integer overflow condition could occur while processing a malformed record within a specially crafted PowerPoint document.

3. Legacy File Format Vulnerability
    (CVE-2009-0222)

A remote code execution vulnerability exists in Microsoft Office PowerPoint . This vulnerability is caused due to an error while handling older Microsoft PowerPoint file types. Memory corruption condition could occur while processing PowerPoint version 4.0 documents.

4.  Legacy File Format Vulnerability
    (CVE-2009-0223)

A remote code execution vulnerability exists in Microsoft Office PowerPoint . This vulnerability is caused due to improper handling of sound data as a part of PowerPoint documents. An error trigger which could cause memory corruption condition, while processing specially crafted document containing malformed sound data parameters.

5. Memory Corruption Vulnerability
    (CVE-2009-0224)

A remote code execution vulnerability exists in Microsoft Office PowerPoint, Office for Mac, and PowerPoint Viewer. This vulnerability is caused due to the processing of invalid record types in PowerPoint files. The corruption of process memory could trigger while processing a malformed PowerPoint document.

6. PP7 Memory Corruption Vulnerability
    (CVE-2009-0225)

A remote code execution vulnerability exists in Microsoft Office PowerPoint 2002 SP3 and prior. This vulnerability is caused due to improper handling of sound data values within PowerPoint 95 documents. A memory corruption condition could occur while processing malicious sound data in specially crafted PowerPoint document.

7. Legacy File Format Vulnerability
    (CVE-2009-0226)

A remote code execution vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to errors while processing sound data embedded within PowerPoint version 4.0 documents. A memory corruption condition could occur while processing malicious sound data in specially crafted PowerPoint document.

8. Legacy File Format Vulnerability
    (CVE-2009-0227)

A remote code execution vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to improper handling of malformed sound data embedded within PowerPoint version 4.0 documents. A memory corruption condition could occur while processing malicious sound parameters while opening specially crafted PowerPoint file.

9. Memory Corruption Vulnerability
    (CVE-2009-0556)

A remote code execution vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to improper handling of invalid index values. A memory corruption condition could occur while processing malicious values within specially crafted PowerPoint file.

10. PP7 Memory Corruption Vulnerability
      (CVE-2009-1128)

A memory corruption vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to improper validation of data within PowerPoint 95 files before use of the data within memory operations. Microsoft Office PowerPoint uses pp7x32.dll library to translate some legacy file formats and fails to process documents containing malformed sound data objects.

11. PP7 Memory Corruption Vulnerability
      (CVE-2009-1129)

A memory corruption vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to unsafe processing of malformed sound data within older PowerPoint document formats. Microsoft Office PowerPoint fails to check sound data before using the data within memory operations.

12. Heap Corruption Vulnerability
      (CVE-2009-1130)

A Heap corruption vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to improper handling of malformed structures within PowerPoint documents. A memory corruption condition could occur while processing a document containing malicious structures.

13. Data Out of Bounds Vulnerability
      (CVE-2009-1131)

A remote code execution vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to insufficient boundary restrictions on input within PowerPoint documents. Microsoft Office PowerPoint improperly allocates memory while processing unspecified parameters and results the corruption of process memory.

14. Legacy File Format Vulnerability
      (CVE-2009-1137)

A remote code execution vulnerability exists in Microsoft Office PowerPoint. This vulnerability is caused due to improper handling of invalid sound data within legacy files. Microsoft Office PowerPoint fails to properly handle malformed data in PowerPoint Version 4.0 documents causing memory corruption and results improper memory operations.

An unauthenticated, remote attacker could exploit these vulnerabilities by enticing naive users to open a specially crafted malicious PowerPoint document, which could cause memory corruption and allow the attacker to execute arbitrary code with the privileges of currently logged-in user on the affected system.

Workarounds

  • Restrict access to pp4x322.dll and pp7x32.dll in Microsoft Office PowerPoint 2000 or Microsoft Office PowerPoint 2002
  • Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources
  • Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
  • Configure less privilege account for normal users
  • Do not open or save PowerPoint files received from unknown and untrusted sources

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-017

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx

References

 iDefense Labs
http://labs.idefense.com/news/msft/2009-05-12.php
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=790
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=796
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=788
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=793
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=787
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=792
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=791
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=794

Zero Day Initiative
http://www.zerodayinitiative.com/advisories/ZDI-09-019/
http://www.zerodayinitiative.com/advisories/ZDI-09-020/

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=18127
http://tools.cisco.com/security/center/viewAlert.x?alertId=18128
http://tools.cisco.com/security/center/viewAlert.x?alertId=18129
http://tools.cisco.com/security/center/viewAlert.x?alertId=18130
http://tools.cisco.com/security/center/viewAlert.x?alertId=18131
http://tools.cisco.com/security/center/viewAlert.x?alertId=18132
http://tools.cisco.com/security/center/viewAlert.x?alertId=18133
http://tools.cisco.com/security/center/viewAlert.x?alertId=18134
http://tools.cisco.com/security/center/viewAlert.x?alertId=17966
http://tools.cisco.com/security/center/viewAlert.x?alertId=18135
http://tools.cisco.com/security/center/viewAlert.x?alertId=18136
http://tools.cisco.com/security/center/viewAlert.x?alertId=18137
http://tools.cisco.com/security/center/viewAlert.x?alertId=18138
http://tools.cisco.com/security/center/viewAlert.x?alertId=18145

VUPEN Security
http://www.vupen.com/english/advisories/2009/1290

SecurityTracker
http://www.securitytracker.com/alerts/2009/May/1022205.html

Secunia
http://secunia.com/advisories/32428/3/

CVE Name
CVE-2009-0220
CVE-2009-0221
CVE-2009-0222
CVE-2009-0223
CVE-2009-0224
CVE-2009-0225
CVE-2009-0226
CVE-2009-0227
CVE-2009-0556
CVE-2009-1128
CVE-2009-1129
CVE-2009-1130
CVE-2009-1131
CVE-2009-1137

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003