X
Business
Home Business Enterprise Software

Microsoft plugs 14 PowerPoint security holes

Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.The MS09-017 update, rated "critical," includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files.
Written by Ryan Naraine, Contributor

pptkill.png

Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.

The MS09-017 update, rated "critical," includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files.

[ SEE: Patch Tuesday: Fix coming for PowerPoint zero-day ]

From the bulletin:

followmeontwitter.png

The security update addresses the vulnerabilities by modifying the way that PowerPoint handles conditions that could cause memory corruption when opening specially crafted PowerPoint files. This update also addresses the vulnerabilities by preventing Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002 from opening PowerPoint 4.0 native file formats.

Some of the issues affect Office for Mac but patches are not yet available for those users:

The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development. Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users.

Three of the 14 issues are described as "legacy file format vulnerabilities" that introduce code execution risk via specially crafted PowerPoint files.  They could be exploited via PowerPoint files in e-mail attachments, or hosted on a specially crafted or compromised Web site.

Microsoft's Johnathan Ness explains:

We are addressing a number of PowerPoint converter cases by removing support for the format (PP40). Others were addressed by back-porting the latest Office 2003 SP3 converter code down-level to Office XP and Office 2000. For example, PP7X32.DLL has gone through extensive changes, addressing the externally-reported vulnerabilities listed in the bulletin but also introducing substantial hardening to the parsing engine. We hope that by doing this comprehensive update and by proactively addressing security vulnerabilities, we reduce the risk and help protect our customers from future vulnerabilities.

* Image source: cogdogblog's photostream (Creative Commons 2.0)

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

GOTRAX 4 electric scooter

The Jackery Explorer 1000 is one of the best portable power stations you can buy, and it's on sale

AI coding concept

Can Meta AI code? I tested it against Llama, Gemini, and ChatGPT - it wasn't even close