Guess What...A New Microsoft Vulnerability
April 2009
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY
DATE ISSUED:
4/2009
SUBJECT:
Vulnerability in Microsoft PowerPoint Could Allow for Remote Code Execution
OVERVIEW:
A new vulnerability has been discovered in Microsoft PowerPoint, a slide presentation program. This vulnerability can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS file) received as an email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.
There is no patch for this vulnerability available at this time.
SYSTEMS AFFECTED:
o Microsoft Office 2000 Service Pack 3
o Microsoft Office 2002 Service Pack 3
o Microsoft Office 2003 Service Pack 3
o Microsoft Office 2004 for Mac
RISK:
Government:
o Large and medium government entities: High
o Small government entities: High
DESCRIPTION:
A new vulnerability has been identified in Microsoft PowerPoint that could allow remote code execution. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS) via email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. If Microsoft Office 2000 is being used, it will automatically open any Office documents, unless the Office Document Open Confirmation Tool for Office 2000 is installed. Microsoft Office 2003 or higher, by default will prompt the user to Open, Save, or Cancel when accessing Office files. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available. Microsoft is reporting that the malicious PowerPoint presentations are being detected as Exploit:Win32/Apptom.gen.
There is no patch for this vulnerability available at this time.
RECOMMENDATIONS:
We recommend the following actions be taken:
o Consider follow Microsoft's suggested actions in their security advisory: http://www.microsoft.com/technet/security/advisory/969136.mspx
o Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865).
o Install the Office Document Open Confirmation Tool for Microsoft Office 2000
(http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en).
o Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
o Do not open email attachments from un-trusted sources.
o Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
o Ensure that all anti-virus software is up to date with the latest signatures.
o Install the appropriate vendor patch as soon as it becomes available after appropriate testing.
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/969136.mspx
http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/mmpc/
http://www.microsoft.com/security/portal/Entry.aspx?Name=Exploit%3aWin32%2fApptom.gen
Security Focus:
http://www.securityfocus.com/bid/34351
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY
DATE ISSUED:
4/2009
SUBJECT:
Vulnerability in Microsoft PowerPoint Could Allow for Remote Code Execution
OVERVIEW:
A new vulnerability has been discovered in Microsoft PowerPoint, a slide presentation program. This vulnerability can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS file) received as an email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available.
There is no patch for this vulnerability available at this time.
SYSTEMS AFFECTED:
o Microsoft Office 2000 Service Pack 3
o Microsoft Office 2002 Service Pack 3
o Microsoft Office 2003 Service Pack 3
o Microsoft Office 2004 for Mac
RISK:
Government:
o Large and medium government entities: High
o Small government entities: High
DESCRIPTION:
A new vulnerability has been identified in Microsoft PowerPoint that could allow remote code execution. This vulnerability is caused by an invalid object reference that can be exploited by opening a malicious PowerPoint presentation (.PPT or .PPS) via email attachment, or by visiting a web site that is hosting a malicious PowerPoint file. If Microsoft Office 2000 is being used, it will automatically open any Office documents, unless the Office Document Open Confirmation Tool for Office 2000 is installed. Microsoft Office 2003 or higher, by default will prompt the user to Open, Save, or Cancel when accessing Office files. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are confirmed reports that this vulnerability is being used for specific targeted attacks although more widespread exploitation may occur when additional details regarding this vulnerability become available. Microsoft is reporting that the malicious PowerPoint presentations are being detected as Exploit:Win32/Apptom.gen.
There is no patch for this vulnerability available at this time.
RECOMMENDATIONS:
We recommend the following actions be taken:
o Consider follow Microsoft's suggested actions in their security advisory: http://www.microsoft.com/technet/security/advisory/969136.mspx
o Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865).
o Install the Office Document Open Confirmation Tool for Microsoft Office 2000
(http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en).
o Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
o Do not open email attachments from un-trusted sources.
o Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
o Ensure that all anti-virus software is up to date with the latest signatures.
o Install the appropriate vendor patch as soon as it becomes available after appropriate testing.
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/advisory/969136.mspx
http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/mmpc/
http://www.microsoft.com/security/portal/Entry.aspx?Name=Exploit%3aWin32%2fApptom.gen
Security Focus:
http://www.securityfocus.com/bid/34351
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0556
posted by arkietechs at 12:14 PM
0 Comments:
Post a Comment
<< Home