Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-134: Microsoft PowerPoint Notes Container Heap Memory Corruption Remote Code Execution Vulnerability

[CVE-2009-1130]

May 13, 2009 16:00 GMT
PROBLEM: Vulnerabilities in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file.
PLATFORM: Microsoft PowerPoint 2004 for Mac 0, Microsoft PowerPoint 2003 SP3 and all previous versions, Microsoft PowerPoint 2002 SP3 and all previous versions, Microsoft Windows 2000 Professional SP3 and all previous versions, Microsoft Windows 98 and all previous versions, Microsoft Windows ME, Microsoft Windows NT Workstation 4.0 SP6a and all previous versions, Microsoft Windows XP Home SP1 and all previous versions, Microsoft PowerPoint 2002 SP1, Microsoft Windows 2000 Advanced Server SP2 and all previous versions, Microsoft Windows 95 SR2 and all previous versions
ABSTRACT: Microsoft PowerPoint is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious PowerPoint file. Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-134.shtml
  OTHER LINKS: Microsoft Website
http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx
Security Focus Website
http://www.securityfocus.com/archive/1/503454
CVE: CVE-2009-1130
IMPACT ASSESSMENT: The rating is medium. An attacker could entice a user to open a specially crafted PowerPoint presentation to execute arbitrary code on the targeted system. 
[***** Start CVE-2009-1130 *****]

Discussion:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office's
PowerPoint. User interaction is required to exploit this vulnerability in that the target must open up a malicious file.

The vulnerability exists within the parsing of certain structures inside a Notes container. During population of a C++
object when reading the Notes container, Powerpoint incorrectly reads more data than was allocated for overwriting a
function pointer for the object which is later used in a call from mso.dll. Successful exploitation can lead to remote code
execution under the credentials of the currently logged in user.

Vulnerable Systems:
Microsoft PowerPoint 2004 for Mac 0
Microsoft PowerPoint 2003 SP3
Microsoft Office 2003 SP3
Microsoft PowerPoint 2003 SP2
Microsoft Office 2003 SP2
Microsoft PowerPoint 2003 SP1
Microsoft Office 2003 SP1
Microsoft PowerPoint 2003 0
Microsoft Office 2003 0
Microsoft PowerPoint 2002 SP3
Microsoft PowerPoint 2002 SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft PowerPoint 2002 SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services
Microsoft Windows ME
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft PowerPoint 2002
Microsoft Office XP
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services
Microsoft Windows 95 SR2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6

Solution:
Microsoft has issued an update to correct this vulnerability.  More details can be found at:

http://www.microsoft.com/technet/security/bulletin/MS09-017.mspx

[***** End CVE-2009-1130 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788