Microsoft PowerPoint DLL Loading and OfficeArt Object Processing Flaws Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1026411 |
|
SecurityTracker URL: http://securitytracker.com/id/1026411
|
|
CVE Reference:
CVE-2011-3396, CVE-2011-3413
(Links to External Site)
|
Date: Dec 13 2011
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2007 SP2, 2010, 2008 for Mac; and prior service packs; Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; Microsoft PowerPoint Viewer 2007 SP2
|
Description:
Two vulnerabilities were reported in Microsoft PowerPoint. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted DLL file on a remote share (e.g., WebDAV, SMB share). When the target PowerPoint application is loaded by the target user and the target user opens an Office-related on that remote share, the application may load the remote user's DLL instead of the intended DLL and execute arbitrary code [CVE-2011-3396]. The code will run with the privileges of the target user. Greg MacManus of iSIGHT Partners Labs reported this vulnerability.
This type of exploit is also known as "binary planting" or "DLL preloading".
A remote user can create a specially crafted PowerPoint file that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2011-3413]. The code will run with the privileges of the target user. An anonymous researcher (TippingPoint's Zero Day Initiative) reported this vulnerability.
|
Impact:
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can may be able to cause a target application to execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued the following fixes:
Microsoft PowerPoint 2007 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=d0c3156c-c87c-4d3e-aca2-3fab9ff78711
Microsoft PowerPoint 2010 (32-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=fd32d083-46e7-4835-ba83-c33332b920bd
Microsoft PowerPoint 2010 (64-bit editions):
http://www.microsoft.com/downloads/details.aspx?familyid=f28b8cf6-8946-448a-ae4e-d11f8a76a679
Microsoft Office 2008 for Mac:
http://www.microsoft.com/downloads/details.aspx?familyid=2c4d0381-f7ab-49ed-a0c0-b381387d1e68
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=e799f654-7e2d-40c7-a3b8-32e44d1aa6ee
Microsoft PowerPoint Viewer 2007 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=4417592a-8db0-4e35-9895-d589bc341077
A restart may be required.
The Microsoft advisory is available at:
http://technet.microsoft.com/en-us/security/bulletin/ms11-094
|
Vendor URL: technet.microsoft.com/en-us/security/bulletin/ms11-094 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (OS X), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
