Today we released one security bulletin, MS09-017, affecting our PowerPoint products. This update addresses several vulnerabilities including the issue described in Microsoft Security Advisory 969136. In that advisory, we noted that we were aware of limited, targeted attacks.

The security of our customers is important to us and due to these active attacks, we have released the updates for one product line (all versions of Microsoft Office for Windows) so that the majority of our customers can protect their systems. We are able to do this because the updates were ready within the predictable release cycle for the entire product line. Updates for the additional products (Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0) will be released when testing is complete and we can ensure high quality. When ready, we will revise the bulletin and notify customers.

Risk and Impact

To help with risk assessment and impact analysis, Microsoft provides detailed information in the vulnerability information section of the bulletin as well as the Exploitability Index. The aggregate severity of the bulletin is critical and we give it a 1 on the Exploitability Index which means consistent exploit code is likely (and indeed already in the wild for one vulnerability in this update). Of the 14 vulnerabilities being addressed, there are some things to note:

• We are only (currently) aware of active attacks against CVE-2009-0556.
• We are not aware (currently) of any active or reliable exploits of CVE-2009-0556 against affected versions of Office for Mac.
• Microsoft Office 2007, Microsoft Office 2008 for Mac, Microsoft Office PowerPoint Viewers, and Microsoft Works versions 8.5 and 9.0 do not contain the CVE-2009-0556 vulnerability.
• When we released Microsoft Security Advisory 969136 on April 2, 2009, both the Security Research & Defense and the Microsoft Malware Protection Center (MMPC) teams posted analysis to their blogs. This information provides valuable insight in to the active exploits.
• The bulletin is rated critical only for Microsoft Office PowerPoint 2000 SP3. All other versions have an aggregate rating of important.
• The only vulnerability that affects all products in the affected products list is CVE-2009-0224. This vulnerability was responsibly disclosed, is rated critical on Microsoft Office PowerPoint 2000 SP3 and important for all the other affected products.

Mitigations and Workarounds

For mitigations and workarounds, I will simply reiterate the information previously stated in the Security Research & Defense blog:

There are a couple workarounds you can apply in your environment to protect yourself from potential attacks. If your environment has mostly already migrated to using PPTX, you can temporarily disable the binary file format in your organization using the FileBlock registry configuration described in the MS09-017 security bulletin. Alternatively, you can temporarily force all legacy PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). The steps to enable MOICE are listed in the MS09-017 security bulletin.

More Information at MSRC

Send via e-mail | Submit to Digg | Add to Live Favorites