Remote code execution in Microsoft PowerPoint
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2006-3449 CVE-2006-3590 |
| CWE-ID | CWE-119 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #2 is being exploited in the wild. |
| Vulnerable software Subscribe |
Microsoft PowerPoint for Mac Client/Desktop applications / Office applications Microsoft Office Client/Desktop applications / Office applications Microsoft Office for Mac Client/Desktop applications / Office applications |
| Vendor |
Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU1202
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2006-3449
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of input data when processing PowerPoint file, containing a malformed record. A remote unauthenticated attacker can trick the victim to open a specially crafted PowerPoint file and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Mitigation
Microsoft PowerPoint 2000 - https://www.microsoft.com/downloads/details.aspx?FamilyId=B7B5615B-7C20-4C49-892F-7F4CCC2D6006
Microsoft PowerPoint 2002 - https://www.microsoft.com/downloads/details.aspx?FamilyId=A9C7E43B-A0A6-4C81-87ED-3F4DED78EAEA
Microsoft PowerPoint 2003 - https://www.microsoft.com/downloads/details.aspx?FamilyId=DE1CB2A7-5D4C-44B8-BC40-7E0A88CC3081
PowerPoint 2004 for Mac - https://www.microsoft.com/mac
PowerPoint v. X for Mac - https://www.microsoft.com/mac
: 2000 - 2003
Microsoft PowerPoint for Mac: 2004 - v.X
Microsoft Office: 2000 Service Pack 3 - XP
Microsoft Office for Mac: 2004
External linkshttp://technet.microsoft.com/en-us/library/security/ms06-048.aspx
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU1178
Risk: Critical
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2006-3590
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The weakness is due to memory corruption in mso.dll. By persuading the victim to open a specially crafted PPT file, containing a malformed shape container, a remote attacker can execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability results in complete compromise of vulnerable system.
Note: this vulnerability was being actively exploited.
Microsoft PowerPoint 2000 - https://www.microsoft.com/downloads/details.aspx?FamilyId=B7B5615B-7C20-4C49-892F-7F4CCC2D6006
Microsoft PowerPoint 2002 - https://www.microsoft.com/downloads/details.aspx?FamilyId=A9C7E43B-A0A6-4C81-87ED-3F4DED78EAEA
Microsoft PowerPoint 2003 - https://www.microsoft.com/downloads/details.aspx?FamilyId=DE1CB2A7-5D4C-44B8-BC40-7E0A88CC3081
PowerPoint 2004 for Mac - https://www.microsoft.com/mac
PowerPoint v. X for Mac - https://www.microsoft.com/mac
: 2000 - 2003
Microsoft PowerPoint for Mac: 2004 - v.X
Microsoft Office: 2000 Service Pack 3 - XP
Microsoft Office for Mac: 2004
External linkshttp://technet.microsoft.com/library/security/922970
http://technet.microsoft.com/en-us/library/security/ms06-048.aspx
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
