CERT-In Vulnerability Note CIVN-2006-81
Microsoft PowerPoint Remote code execution vulnerabilities
Original Issue Date: August 09, 2006
Severity Rating:
High
Systems Affected
- Microsoft PowerPoint 2000
- Microsoft PowerPoint 2002
- Microsoft PowerPoint 2003
- PowerPoint 2004 for Mac
- PowerPoint 2004 v. X for Mac
- Microsoft Office 2000
- Microsoft Office XP
- Microsoft Office 2003
Overview
Two vulnerabilities have been reported in Microsoft Power Point that could be exploited by attacker to take complete control of the vulnerable system.
Description
Microsoft PowerPoint Mso.dll Vulnerability ( CVE-2006-3590 )
This vulnerability is caused due to unspecified memory corruption error in mso.dll library while processing specially crafted Powerpoint document. For details please refer CERT-In Vulnerability Note (civn-2006-73)
Microsoft PowerPoint Malformed Records Vulnerability ( CVE-2006-3449 )
The attacker could exploit this vulnerability by convincing a user to open specially crafted Powerpoint documents, including documents hosted on web sites or attached to email messages to execute arbitrary code with the privileges of the user running Powerpoint.
Note: It may be noted that Proof of Concept exploit code for these vulnerabilities are available on Internet.
Workarounds
- Do not open PowerPoint attachment from untrusted sources.
- Do not grant administrative privileges to users.
Maintain updated Antivirus
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-048
Vendor Information Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
Refrences
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
US-CERT VU#884252
http://www.kb.cert.org/vuls/id/884252
Security Focus
http://www.securityfocus.com/bid/19341/info
Secunia
http://secunia.com/advisories/21040
CVE Name
CVE-2006-3590
CVE-2006-3449
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
