Microsoft updates Office to address serious PowerPoint vulnerabilities

Article

Microsoft updates Office to address serious PowerPoint vulnerabilities

Robert Westervelt, News Editor

Microsoft issued only one Security Bulletin this month, addressing 14 vulnerabilities in its PowerPoint presentation program.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The software giant's MS09-017 update to Microsoft Office repaired the flaws, which were being actively exploited by attackers. Eleven of the 14 flaws were rated critical. The remote code execution vulnerabilities in Microsoft Office PowerPoint included several memory corruption flaws, legacy file handling errors and an integer overflow error. The update affects all versions of Microsoft Office for Windows.

"The security of our customers is important to us and due to these active attacks, we have released the updates for one product line so that the majority of our customers can protect their systems," Jerry Bryant, senior security program manager wrote on the Microsoft Security Response Center blog.

Recent Microsoft updates:
April - Microsoft patches serious Excel zero-day, Windows flaws Microsoft is patching flaws in Excel and WordPad that are reportedly being actively exploited in the wild and could allow an attacker to gain access to sensitive data.

March - Microsoft patches critical Windows kernel flaw: A critical flaw in the Windows graphics rendering component could be exploited by an attacker to gain access to sensitive data and take control of a machine.

Feb. - Microsoft fixes critical IE 7, Exchange flaws: Memory corruption errors in IE 7 and a message processing error in Exchange leave systems vulnerable to attack, Microsoft said.

Jan. - Microsoft updates critical SMB server flaws: The latest Microsoft security update addresses two critical remote code execution vulnerabilities and a denial-of-service flaw in the Server Message Block.

In a blog entry, Jonathan Ness of MSRC engineering said the update introduces substantial hardening to PowerPoint's parsing engine. Ness called the update "out of the ordinary."

"We normally do not update one supported platform before another but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages,' he wrote in Microsoft's Security Research & Defense blog. <

Attackers have been actively exploiting the errors since April when Microsoft issued an advisory warning of ongoing attacks in the wild. Microsoft researchers called the attacks the first reliable exploits seen in the wild that infect Office 2003 SP3 with the latest security updates.

The flaws could be exploited by tricking users into opening a malicious PowerPoint file. The files contain a Trojan dropper embedded within the presentation. The file can be passed via an email with a malicious PowerPoint attachment or by tricking users into viewing a malicious website.

Microsoft gave the update a 1 on its exploitability index, meaning that consistent exploit code is likely in the wild. The update disables by default the ability to open PowerPoint 4.0 file formats in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. Later versions of PowerPoint already have been disabled. Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0 will be released when testing is complete, Microsoft said.

Tas Giakomuniakis, CTO at vulnerability management vendor Rapid7, pointed out that most of the flaws were reported to Microsoft by researchers working through the iDefense and TippingPoint vulnerability acquisition programs, highlighting the increased value of vulnerabilities and the amount of effort required to find them.

SearchSecurity radio:
"The large number of vulnerabilities in PowerPoint is not that surprising, considering the immense attack surface and poor code quality of the legacy file format parsers in Microsoft Office," he said in a statement.

Other patching experts said that popular applications like Adobe Reader, Microsoft Word, Excel and PowerPoint have been the consistent choice of attackers. The flaws could be exploited by simply tricking a user into opening a malicious file or clicking on a malicious link. Ultimately, the flaws open a door to other malware that steal sensitive information on victim's machines.