Title

Multiple Remote Code Execution Vulnerabilities in Microsoft Office PowerPoint (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing multiple vulnerabilities in Microsoft Office PowerPoint. To exploit these vulnerabilities, an attacker would entice a user to open a legitimate file located in the same network directory as a malicious dynamic link library (DLL) file or access a malicious PowerPoint file sent as an e-mail attachment or hosted on a Web site. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code and compromise the affected system. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. PowerPoint Insecure Library Loading Vulnerability - (CVE-2011-3396): A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles the loading of DLL files. The vulnerability is caused when Microsoft PowerPoint improperly restricts the path used for loading external libraries. An attacker who successfully exploited this vulnerability could take complete control of an affected system. OfficeArt Shape RCE Vulnerability - (CVE-2011-3413): A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files. The vulnerability is caused when PowerPoint reads an invalid record in a specially crafted PowerPoint file, causing an error that could corrupt memory in such a way as to allow an attacker to execute arbitrary code. An attacker could exploit the vulnerability by creating a specially crafted PowerPoint file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-094 (2639142). Vulnerable Applications/Systems: Microsoft Office Suites and Components Microsoft Office 2007 SP2 Microsoft Office 2010 (x86, x64) Other Microsoft Office Software Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 Microsoft PowerPoint Viewer 2007 SP2 Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Powerpnt.exe Microsoft Office 2007 SP2 – 12.0.6600.1000 Microsoft Office 2010 x86, x64 – 14.0.6009.1000 Ppcnv.dll Microsoft Office 2007 File Formats SP2 – 12.0.6654.5000 Pptview.exe Microsoft PowerPoint Viewer 2007 SP2 – 12.0.6654.5000

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-30831

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.