Although May 2009 initially appeared to be a slow month for Microsoft on the security updates front, the company ended up releasing no less than 14 patches for just as many vulnerabilities affecting various versions of Office PowerPoint. However, Microsoft Security Bulletin MS09-017 is rated Critical because of a single vulnerability: CVE-2009-0556. According to the software giant, CVE-2009-0556, a memory corruption vulnerability in Office PowerPoint 2000 SP3, has been under attack since at least the start of April, 2009. Microsoft only confirmed limited, targeted attacks against the CVE-2009-0556 security hole.
“MS09-017 (Maximum severity of Critical): This update resolves a publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Office PowerPoint, which could allow remote code execution if a user opens a specially crafted PowerPoint file. This update received a 1 rating from Microsoft’s Exploitability Index,” revealed Christopher Budd, security response communications lead for Microsoft.
MS09-017 only addresses security vulnerabilities in PowerPoint designed to run on Windows. The Redmond company explains that the Office for Mac versions of PowerPoint have no active or reliable exploits at this point in time. At the same time, solutions including Office 2007, Office 2008 for Mac, Office PowerPoint Viewers, and Microsoft Works versions 8.5 and 9.0 are in no way affected by the CVE-2009-0556 vulnerability.
“The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development. Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users,” Budd added.
Microsoft has taken the measure of disabling by default PowerPoint 4.0 file formats for both Office PowerPoint 2000 and Office PowerPoint 2002. The company emphasized that the functionality was already removed from PowerPoint 2003 SP3, and that it hadn't even been built into PowerPoint 2007 in the first place.