Microsoft updates Office to address serious PowerPoint vulnerabilities

By Robert Westervelt, News Editor 12 May 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued only one Security Bulletin this month, addressing 14 vulnerabilities in its PowerPoint presentation program.

The software giant's MS09-017 update to Microsoft Office repaired the flaws, which were being actively exploited by attackers. Eleven of the 14 flaws were rated critical. The remote code execution vulnerabilities in Microsoft Office PowerPoint included several memory corruption flaws, legacy file handling errors and an integer overflow error. The update affects all versions of Microsoft Office for Windows.

"The security of our customers is important to us and due to these active attacks, we have released the updates for one product line so that the majority of our customers can protect their systems," Jerry Bryant, senior security program manager wrote on the Microsoft Security Response Center blog.

In a blog entry, Jonathan Ness of MSRC engineering said the update introduces substantial hardening to PowerPoint's parsing engine. Ness called the update "out of the ordinary."

"We normally do not update one supported platform before another but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages,' he wrote in Microsoft's Security Research & Defense blog. <

Attackers have been actively exploiting the errors since April when Microsoft issued an advisory warning of ongoing attacks in the wild. Microsoft researchers called the attacks the first reliable exploits seen in the wild that infect Office 2003 SP3 with the latest security updates.

The flaws could be exploited by tricking users into opening a malicious PowerPoint file. The files contain a Trojan dropper embedded within the presentation. The file can be passed via an email with a malicious PowerPoint attachment or by tricking users into viewing a malicious website.

Microsoft gave the update a 1 on its exploitability index, meaning that consistent exploit code is likely in the wild. The update disables by default the ability to open PowerPoint 4.0 file formats in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. Later versions of PowerPoint already have been disabled. Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0 will be released when testing is complete, Microsoft said.

Tas Giakomuniakis, CTO at vulnerability management vendor Rapid7, pointed out that most of the flaws were reported to Microsoft by researchers working through the iDefense and TippingPoint vulnerability acquisition programs, highlighting the increased value of vulnerabilities and the amount of effort required to find them.

"The large number of vulnerabilities in PowerPoint is not that surprising, considering the immense attack surface and poor code quality of the legacy file format parsers in Microsoft Office," he said in a statement.

Other patching experts said that popular applications like Adobe Reader, Microsoft Word, Excel and PowerPoint have been the consistent choice of attackers. The flaws could be exploited by simply tricking a user into opening a malicious file or clicking on a malicious link. Ultimately, the flaws open a door to other malware that steal sensitive information on victim's machines.

Tags: Secure Coding and Application Programming,  Web Application Security,  Platform and OS Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Metasploit Project acquired by vulnerability management firm Rapid7 Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary