May 12, 2009 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 1 vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Microsoft has released 1 security patches to fix newly discovered flaws in Microsoft Windows.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Office PowerPoint Could Allow Remote Code Execution |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 110094 |
| VENDOR REFERENCE: MS09-017 |
| CVE REFERENCE: CVE-2009-0556, CVE-2009-0220, CVE-2009-0221, CVE-2009-0222, CVE-2009-0223, CVE-2009-0224, CVE-2009-0225, CVE-2009-0226, CVE-2009-0227, CVE-2009-1128, CVE-2009-1129, CVE-2009-1130, CVE-2009-1131, CVE-2009-1137 |
| CVSS SCORES: Base 9.3/ Temporal 7.9 |
| THREAT: Microsoft PowerPoint is a presentation program developed by Microsoft. It is part of the Microsoft Office Suite.
Previously Microsoft has identified this as a zero day vulnerability in Microsoft PowerPoint. The application is prone to the following vulnerabilities that are caused due to the way it handles specially crafted PowerPoint files. - A file format vulnerability exists in the way that PowerPoint reads paragraph formatting data from specially crafted PowerPoint 4.0 files. (CVE-2009-0220) - Multiple integer overflow and memory corruption vulnerabilities exist in the way PowerPoint reads an invalid record type in a specially crafted PowerPoint file allowing memory corruption and code execution. (CVE-2009-0221, CVE-2009-0224) - Multiple file format vulnerabilities exist in the way PowerPoint reads sound data from specially crafted PowerPoint 4.0 files. (CVE-2009-0222, CVE-2009-0223, CVE-2009-0226, CVE-2009-0227, CVE-2009-1137) - Multiple PP7 memory corruption vulnerabilities exists in the way PowerPoint reads sound data from specially crafted PowerPoint 95 files and older PowerPoint 95 formatted files. (CVE-2009-0225, CVE-2009-1128, CVE-2009-1129) - A memory corruption vulnerability exists in the way PowerPoint accesses an invalid object in memory when parsing a specially crafted PowerPoint file. (CVE-2009-0556) - A heap corruption vulnerability exists in the way PowerPoint reads a malformed structure value in a specially crafted PowerPoint file. (CVE-2009-1130) - A data out of bounds vulnerability exists in the way Microsoft Office PowerPoint reads data that is too large in a specially crafted PowerPoint file. (CVE-2009-1131) Microsoft has released a security update that addresses these vulnerabilities by modifying the way that PowerPoint handles conditions that could cause memory corruption when opening specially crafted PowerPoint files.
Affected Software: |
| IMPACT: Successful exploitation of this vulnerability allows an attacker to cause memory corruption and run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office 2000 Service Pack 3 (Microsoft Office PowerPoint 2000 Service Pack 3) Microsoft Office XP Service Pack 3 (Microsoft Office PowerPoint 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office PowerPoint 2003 Service Pack 3) 2007 Microsoft Office System Service Pack 1 (Microsoft Office PowerPoint 2007 Service Pack 1) 2007 Microsoft Office System Service Pack 2 (Microsoft Office PowerPoint 2007 Service Pack 2) PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Refer to Microsoft Security Bulletin MS09-017 for further details.
Workarounds:
Workarounds for CVE-2009-0221, CVE-2009-0224, CVE-2009-0556, CVE-2009-1130: Impact of workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted. 2) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. Impact of workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
Workaround for CVE-2009-0220, CVE-2009-0222, CVE-2009-0223, CVE-2009-0226, CVE-2009-0227, CVE-2009-1137: Impact of workaround: It will prevent PowerPoint 4.0 files from being opened
Workaround for CVE-2009-0225, CVE-2009-1128, CVE-2009-1129: Impact of workaround: It will prevent PowerPoint 95 files from being opened Details on the workarounds can be found at MS09-017. |
This new vulnerability check is included in Qualys vulnerability signatures v1.22.209-2. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 110094
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
