Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution

Posted 04/02/2009 - 21:51 by David Schnardthorst

Overview:

Microsoft released Advisory 969136 on April 2, 2009 due to a vulnerability in Microsoft Office PowerPoint that could allow remote code execution.

References	Identification
CVE Reference	CVE-2009-0556
Microsoft Knowledge Base Article	969136

This advisory discusses the following software.

Affected Software
Microsoft Office PowerPoint 2000 Service Pack 3
Microsoft Office PowerPoint 2002 Service Pack 3
Microsoft Office PowerPoint 2003 Service Pack 3
Microsoft Office 2004 for Mac

Non-affected Software
Microsoft Office PowerPoint 2007
Microsoft Office PowerPoint 2007 Service Pack 1
Microsoft Office PowerPoint Viewer 2003
Microsoft Office PowerPoint Viewer 2007
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac

Impact:

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to open the specially crafted PowerPoint file.

Solution:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources.

Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.

Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources

The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.

To install MOICE, you must have Office 2003 or 2007 Office system installed.

To install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center:

Download the FileFormatConverters.exe package now

MOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates:

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

To enable MOICE, change the registered handler for the .ppt, pot, and .pps file formats. The following table describes the command to enable or to disable MOICE for the .ppt, pot, and .pps file formats:

Command to use to enable MOICE to be the registered handler	Command to use to disable MOICE as the registered handler
ASSOC .ppt=oice.powerpoint.show	ASSOC .ppt=PowerPoint.Show.8
ASSOC .pot=oice.powerpoint.template	ASSOC .pot=PowerPoint.Template.8
ASSOC .pps=oice.powerpoint.slideshow	ASSOC .pps=PowerPoint.SlideShow.8

Note On Windows Vista and Windows Server 2008 the commands above will need to be run from an elevated command prompt.

For more information on MOICE, see Microsoft Knowledge Base Article 935865.

Impact of Workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted.

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations

The following registry scripts can be used to set the File Block policy.

Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates must be applied.

Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

How to Undo the Workaround:

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]

"BinaryFiles"=dword:00000000

References:

Microsoft Technet Article: 969136