Vulnerability

CERT-In Vulnerability Note CIVN-2011-0187
Microsoft PowerPoint Remote code Execution vulnerabilities

Original Issue Date:December 14, 2011

Severity Rating: HIGH

Systems Affected

Microsoft Office 2007 SP 2
Microsoft Office 2010 (32 & 64 bit)
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP 2

Component Affected

Microsoft PowerPoint 2007 SP 2
Microsoft PowerPoint 2010 (32 & 64 bit)

Overview

Two remote code execution vulnerabilities have been reported in the Microsoft Office PowerPoint, which could be exploited by remote attackers to execute arbitrary code to take control of the affected system in the context of the current logged-in user.

Description

1. Power Point Insecure Library Loading vulnerability

( CVE-2011-3396 )

This vulnerability is due to Microsoft PowerPoint fail to properly restrict the path used for loading external libraries. By persuading a victim to open a legitimate file that is located in the same directory as a specially crafted dynamic link library (DLL) file from a UNC or WebDAV share, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.

Workaround

Disable loading of libraries from WebDAV and remote network shares
Disable the WebClient service
Block TCP ports 139 and 445 at the firewall

2. Office Art Shape Recording Processing code execution vulnerability ( CVE-2011-3413 )

The vulnerability is due to improper processing of malformed OfficeArt record as Power point fail to check the type of the elements in the containers and incorrectly modify the property of the object.

This modification can be used to cause memory corruption of the type which can lead to remote code execution in the context of power point.

Workaround

Set Office File Validation to disable the opening of files that fail validation in PowerPoint 2003 and PowerPoint 2007
Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted source.

Note: For detailed steps and impact of applying these workarounds refer to Microsoft Security Bulletin MS11-094

Note: This advisory replaces Bulletins MS11-022, MS11-036, MS11-072.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS11-094

Vendor Information

Microsoft
http://technet.microsoft.com/en-us/security/bulletin/MS11-094

References

Microsoft
http://technet.microsoft.com/en-us/security/bulletin/MS11-094
http://support.microsoft.com/kb/2264107

Securityfocus
http://www.securityfocus.com/bid/50967

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=24708

CVE Name
CVE-2011-3396
CVE-2011-3413

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India