Remote code execution in Microsoft PowerPoint



Published: 2006-07-17 | Updated: 2016-12-05
Risk Critical
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2006-3449
CVE-2006-3590
CWE-ID CWE-119
Exploitation vector Network
Public exploit Vulnerability #2 is being exploited in the wild.
Vulnerable software
Subscribe
Microsoft PowerPoint for Mac
Client/Desktop applications / Office applications

Microsoft Office
Client/Desktop applications / Office applications

Microsoft Office for Mac
Client/Desktop applications / Office applications

Vendor
Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

This bulletin was updated to include another vulnerability, patched by Microsoft.

1) Buffer overflow

EUVDB-ID: #VU1202

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2006-3449

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to incorrect handling of input data when processing PowerPoint file, containing a malformed record. A remote unauthenticated attacker can trick the victim to open a specially crafted PowerPoint file and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.


Mitigation

Microsoft PowerPoint 2000 - https://www.microsoft.com/downloads/details.aspx?FamilyId=B7B5615B-7C20-4C49-892F-7F4CCC2D6006
Microsoft PowerPoint 2002 - https://www.microsoft.com/downloads/details.aspx?FamilyId=A9C7E43B-A0A6-4C81-87ED-3F4DED78EAEA
Microsoft PowerPoint 2003 - https://www.microsoft.com/downloads/details.aspx?FamilyId=DE1CB2A7-5D4C-44B8-BC40-7E0A88CC3081
PowerPoint 2004 for Mac - https://www.microsoft.com/mac
PowerPoint v. X for Mac - https://www.microsoft.com/mac

Vulnerable software versions

: 2000, 2002, 2003

Microsoft PowerPoint for Mac: 2004, v.X

Microsoft Office: 2000 Service Pack 3, 2003, XP

Microsoft Office for Mac: 2004

CPE2.3 External links

http://technet.microsoft.com/en-us/library/security/ms06-048.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU1178

Risk: Critical

CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2006-3590

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The weakness is due to memory corruption in mso.dll. By persuading the victim to open a specially crafted PPT file, containing a malformed shape container, a remote attacker can execute arbitrary code on vulnerable system.

Successful exploitation of the vulnerability results in complete compromise of vulnerable system.

Note: this vulnerability was being actively exploited.

Mitigation

Microsoft PowerPoint 2000 - https://www.microsoft.com/downloads/details.aspx?FamilyId=B7B5615B-7C20-4C49-892F-7F4CCC2D6006
Microsoft PowerPoint 2002 - https://www.microsoft.com/downloads/details.aspx?FamilyId=A9C7E43B-A0A6-4C81-87ED-3F4DED78EAEA
Microsoft PowerPoint 2003 - https://www.microsoft.com/downloads/details.aspx?FamilyId=DE1CB2A7-5D4C-44B8-BC40-7E0A88CC3081
PowerPoint 2004 for Mac - https://www.microsoft.com/mac
PowerPoint v. X for Mac - https://www.microsoft.com/mac

Vulnerable software versions

: 2000, 2002, 2003

Microsoft PowerPoint for Mac: 2004, v.X

Microsoft Office: 2000 Service Pack 3, 2003, XP

Microsoft Office for Mac: 2004

CPE2.3 External links

http://technet.microsoft.com/library/security/922970
http://technet.microsoft.com/en-us/library/security/ms06-048.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.



###SIDEBAR###