CERT-In Vulnerability Note CIVN-2008-131
Multiple Vulnerabilities in Microsoft PowerPoint
Original Issue Date:
August 14, 2008
Severity Rating:
High
Systems Affected
- Microsoft Office PowerPoint 2007 Service Pack 1
- Microsoft Office PowerPoint 2007
- Microsoft Office PowerPoint 2003 Service Pack 3
- Microsoft Office PowerPoint 2003 Service Pack 2
- Microsoft Office PowerPoint 2002 Service Pack 3
- Microsoft Office PowerPoint 2000 Service Pack 3
- Microsoft Office PowerPoint Viewer 2003
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
- Microsoft Office Compatibility Pack for Word, Excel,and PowerPoint 2007 File Formats Service Pack 1
- Microsoft Office 2004 for Mac
Overview
Multiple vulnerabilities have been reported in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system.
Description
1. Cstring Integer Overflow Vulnerability (CVE-2008-0120)
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint Viewer 2003 handles specially crafted PowerPoint files which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site by an attacker. An issue in CString objects embedded in a PowerPoint presentation file results in a very small amount of buffer being allocated while a very large amount of data is copied into it. This leads to an exploitable heap-based buffer overflow.
Workaround
- Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
2. Out of Bounds Array Index Vulnerability (CVE-2008-0121)
An out of boundary array index vulnerability in the way that Microsoft Office PowerPoint Viewer 2003 handles certain records,which could exploited by an attacker to execute arbitrary code in the context of the user running the application. In some circumstances, an array index can be directly controlled by data from within the PowerPoint presentation file. Thus, a function pointer can be directly controlled by the attacker and leveraged for arbitrary code execution.
Workaround
- Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
3. Parsing Overflow Vulnerability (CVE-2008-1455)
A remote code execution vulnerability exists in the way that Microsoft Office PowerPoint handles specially crafted PowerPoint files.If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
Workarounds
- Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources.
- Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.
- Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS08-051
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-051.mspx
References
iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=738
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=739
SecuriTeam
http://www.securiteam.com/windowsntfocus/5YP0G0UP5K.html
http://www.securiteam.com/windowsntfocus/5ZP0H0UP5G.html
Secunia
http://secunia.com/advisories/31453
SecurityTracker
http://securitytracker.com/alerts/2008/Aug/1020676.html
FrSIRT
http://www.frsirt.com/english/advisories/2008/2355
SecurityFocus
http://www.securityfocus.com/bid/30554
http://www.securityfocus.com/bid/30552
AusCERT
http://www.auscert.org.au/render.html?it=9706
CVE Name
CVE-2008-0120
CVE-2008-0121
CVE-2008-1455
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
