Microsoft updates Office to address serious PowerPoint vulnerabilities

By Robert Westervelt, News Editor 12 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued only one Security Bulletin this month, addressing 14 vulnerabilities in its PowerPoint presentation program.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The software giant's MS09-017 update to Microsoft Office repaired the flaws, which were being actively exploited by attackers. Eleven of the 14 flaws were rated critical. The remote code execution vulnerabilities in Microsoft Office PowerPoint included several memory corruption flaws, legacy file handling errors and an integer overflow error. The update affects all versions of Microsoft Office for Windows.

"The security of our customers is important to us and due to these active attacks, we have released the updates for one product line so that the majority of our customers can protect their systems," Jerry Bryant, senior security program manager wrote on the Microsoft Security Response Center blog.

Recent Microsoft updates: April - Microsoft patches serious Excel zero-day, Windows flaws Microsoft is patching flaws in Excel and WordPad that are reportedly being actively exploited in the wild and could allow an attacker to gain access to sensitive data. March - Microsoft patches critical Windows kernel flaw: A critical flaw in the Windows graphics rendering component could be exploited by an attacker to gain access to sensitive data and take control of a machine. Feb. - Microsoft fixes critical IE 7, Exchange flaws: Memory corruption errors in IE 7 and a message processing error in Exchange leave systems vulnerable to attack, Microsoft said. Jan. - Microsoft updates critical SMB server flaws: The latest Microsoft security update addresses two critical remote code execution vulnerabilities and a denial-of-service flaw in the Server Message Block.

In a blog entry, Jonathan Ness of MSRC engineering said the update introduces substantial hardening to PowerPoint's parsing engine. Ness called the update "out of the ordinary."

"We normally do not update one supported platform before another but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages,' he wrote in Microsoft's Security Research & Defense blog. <

Attackers have been actively exploiting the errors since April when Microsoft issued an advisory warning of ongoing attacks in the wild. Microsoft researchers called the attacks the first reliable exploits seen in the wild that infect Office 2003 SP3 with the latest security updates.

The flaws could be exploited by tricking users into opening a malicious PowerPoint file. The files contain a Trojan dropper embedded within the presentation. The file can be passed via an email with a malicious PowerPoint attachment or by tricking users into viewing a malicious website.

Microsoft gave the update a 1 on its exploitability index, meaning that consistent exploit code is likely in the wild. The update disables by default the ability to open PowerPoint 4.0 file formats in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. Later versions of PowerPoint already have been disabled. Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0 will be released when testing is complete, Microsoft said.

Tas Giakomuniakis, CTO at vulnerability management vendor Rapid7, pointed out that most of the flaws were reported to Microsoft by researchers working through the iDefense and TippingPoint vulnerability acquisition programs, highlighting the increased value of vulnerabilities and the amount of effort required to find them.

SearchSecurity radio:

"The large number of vulnerabilities in PowerPoint is not that surprising, considering the immense attack surface and poor code quality of the legacy file format parsers in Microsoft Office," he said in a statement.

Other patching experts said that popular applications like Adobe Reader, Microsoft Word, Excel and PowerPoint have been the consistent choice of attackers. The flaws could be exploited by simply tricking a user into opening a malicious file or clicking on a malicious link. Ultimately, the flaws open a door to other malware that steal sensitive information on victim's machines.

Tags: Windows Security: Alerts, Updates and Best Practices,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary