Microsoft PowerPoint OutlineTextRefAtom Parsing Vulnerability

SA34572

CVE-2009-0556

03 Apr 2009

10 Jun 2009

Extremely Critical

Partial Fix

Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003

From remote

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

A vulnerability has been reported in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error when processing certain index values inside OutlineTextRefAtom atoms. This may result in access to an invalid object in memory when parsing a specially crafted PowerPoint file.

Successful exploitation allows execution of arbitrary code.

NOTE: According to Microsoft, the vulnerability is currently being actively exploited.

Apply patches.

Microsoft Office PowerPoint 2000 SP3:
http://www.microsoft.com/downloads/details.aspx?familyid=f443312a-ac74-4ebc-a4ac-7a756aa67894

Microsoft Office PowerPoint 2002 SP3:
http://www.microsoft.com/downloads/details.aspx?familyid=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49

Microsoft Office PowerPoint 2003 SP3:
http://www.microsoft.com/downloads/details.aspx?familyid=ccfa978b-3340-40db-a45d-c880ba36b106

Microsoft Office 2004 for Mac:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5557bfb7-ebb4-4c42-8042-41e830c4e550

Reported as a 0-day.

MS09-017 (KB957781, KB957784, KB957789, KB957790, KB967340, KB969615, KB969618, KB970059, KB969661):
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx

Microsoft:
http://www.microsoft.com/technet/security/advisory/969136.mspx

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-019/