Microsoft Security Bulletin MS01-002 - Critical

PowerPoint File Parser Contains Unchecked Buffer

Published: January 22, 2001 | Updated: July 10, 2003

Version: 2.3

Originally posted: January 21, 2001
Updated: July 10, 2003

Summary

Who should read this bulletin:
Customers using Microsoft® PowerPoint® 97 or PowerPoint 2000.

Impact of vulnerability:
Run code of attacker's choice.

Recommendation:
All customers using PowerPoint 97 or PowerPoint 2000 should apply the patch immediately.

Affected Software:

• Microsoft PowerPoint 97
• Microsoft PowerPoint 2000

General Information

Technical details

Technical description:

A parsing routine that is executed when PowerPoint 97 or PowerPoint 2000 opens files contains an unchecked buffer. If an attacker inserted specially chosen data into a PowerPoint file and could entice another user into opening the file on his machine, the data would overrun the buffer, causing either of two effects. In the less serious case, overrunning the data would cause PowerPoint to fail, but wouldn't have any other effect. In the more serious case, overrunning the buffer could allow the attacker to cause code of her choice to run on the user's machine. The code could take any action that the user himself could take on the machine. Typically, this would enable the attacker's code to add, change or delete data, communicate with a remote server, or take other actions.

PowerPoint 97 and PowerPoint 2000 ship as both stand-alone products and as part of the Office 97 and 2000 product suites. The patch is needed regardless of the shipment vehicle.

Mitigating factors:

• To exploit this vulnerability, an attacker would need to entice a user into either opening a malformed PowerPoint 97 or 2000 file, visiting a malicious website, or viewing a specially crafted HTML email message.

Vulnerability identifier: CAN-2001-0005

Tested Versions:

Microsoft tested PowerPoint 97 and 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. A malicious user could exploit this vulnerability in either of two ways. In the simplest case, opening a malformed PowerPoint file could cause the application to fail. In the more complex case, opening the malformed file could cause code of the attacker's choice to execute on the PowerPoint user's computer. The code could take any action on the machine that the user himself could take. The chief mitigating factor associated with this vulnerability is the requirement for the malicious user to entice a user into either opening the malformed PowerPoint file, visiting a malicious website, or viewing a specially crafted html email message.

What causes the vulnerability?
A parsing function executed by PowerPoint when a file is opened is subject to a buffer overrun vulnerability. If the file contained a particular type of malformed data, code could be made to run on the computer, or PowerPoint itself could be made to fail, via a buffer overrun vulnerability.

What's a buffer overrun vulnerability?
Let's start with what a buffer is. Buffers are storage areas within programs, and are frequently used to store program inputs. As a matter of good coding practice, a program should always check the length of an input it's been provided before writing it to the buffer. Otherwise, an input value that's longer than the buffer could be written, thereby overrunning the buffer and overwriting nearby data. When a buffer overrun occurs, it can cause either of two results. In most cases, the data that "spills" out of the buffer has the effect of causing the program to fail. However, if the data is specially chosen, it can be used to alter what the program does. In essence, the latter case could allow the functionality of the program - PowerPoint, in this case -- to be changed to suit the purposes of the person who provided the data that overran the buffer.

Where is the unchecked buffer in this case?
The unchecked buffer lies in a routine that PowerPoint executes whenever it opens a PowerPoint presentation. The data that's put into the buffer is included in the file. By putting specially-chosen data into a PowerPoint file and persuading another user to open it, an attacker could exploit this vulnerability, with either of the two outcomes discussed above.

What would happen if someone opened a PowerPoint file that exploited this vulnerability?
It would depend on the value of the data that overran the file. If the buffer were overrun with random data, PowerPoint would fail upon opening the file. It would have no other effect, and the user could continue working normally. However, if the buffer were overrun with carefully-selected data, it could allow PowerPoint's functionality to be altered according to the attacker's wishes. The new functionality would be able to do anything on the user's system that the user himself could do. If the user had few privileges on the machine, the new functionality might be able to do little. However, if the user had administrative privileges on the machine, the attacker's new code could take virtually any desired action on the user's computer.

How would the attacker get the data into the file?
She would need to insert it using a hexadecimal editor or similar tool. It is not possible to use PowerPoint to create a file that will overrun the buffer when opened.

Which versions of PowerPoint are vulnerable?
All versions of PowerPoint 97 and Powerpoint 2000 are vulnerable.

What happens if PowerPoint is made to fail?
If the malformed file causes PowerPoint to fail, the application will close abrubtly and any unsaved work in other PowerPoint sessions will be lost. Other applications and the Operating System itself will remain unaffected.

What does the patch do?
The patch eliminates the vulnerability by not allowing malformed files to be opened in PowerPoint.

Patch availability

Download locations for this patch

• PowerPoint 97

  https://www.microsoft.com/download/details.aspx?FamilyID=30789303-25B1-482F-BFE5-5A47C7DB2EDC&displaylang;=EN

• PowerPoint 2000

  https://www.microsoft.com/download/details.aspx?FamilyID=5C011C70-47D0-4306-9FA4-8E92D36332FE&displaylang;=EN

Additional information about this patch

Installation platforms:

• The PowerPoint 97 patch can be installed on systems running Office 97 Service Release 2b.
• The PowerPoint 2000 patch can be installed on systems running Office 2000 Service Release 1a and Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Office XP.

Verifying patch installation:

• PowerPoint 97:

  The only changes made to Microsoft PowerPoint 97 are in the registry.

  The following entries will be removed from your registry:

  HKEY_CLASSES_ROOT\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

  HKEY_CLASSES_ROOT\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

  HKEY_CLASSES_ROOT\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

  HKEY_CLASSES_ROOT\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

• PowerPoint 2000:

  Select "About Microsoft PowerPoint" from the Help menu and verify that the version number is 9.0.4190

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Dave Aitel and Frank Swiderski of @Stake (www.atstake.com) for reporting this issue to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base articles Q285978 and Q299368 discuss this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (January 22, 2001): Bulletin Created.
• V2.0 (January 25, 2001): Bulletin revised to reflect availability of an updated patch and changes in the conditions required to exploit the vulnerability.
• V2.1 (June 18, 2001): Bulletin revised to include the download location for the PowerPoint 97 patch.
• V2.2 (February 28, 2003): Updated links for Office 2000 SR1a and SR2 in More Information section.
• V2.3 (July 10, 2003): Corrected links to Windows Update in Additional Information.

Built at 2014-04-18T13:49:36Z-07:00