PowerPoint Crashing Bug Not a Security Vulnerability

The Redmond Company and the Microsoft Security Response Center partners have rounded up an investigation related to publicly published proof of concept code impacting Microsoft Office 2003 PowerPoint. Although initially rated as a Critical vulnerability because it allowed for remote code execution in the eventuality of a successful exploit, its level was lowered to not critical as it only permits DoS attacks.

"The short story is that this issue turned out to not be exploitable for remote code execution. It was a PowerPoint crashing bug not a PowerPoint security vulnerability. The PowerPoint team has developed a fix for this bug and it will go into the next available ship vehicle for PowerPoint," stated the SWI team a MSRC partner.

"The bug is caused due to a NULL pointer dereference error when processing a PowerPoint presentation containing a container object with an invalid "position" value that is larger than the container's record length," stated Secunia.

To parse a malformed PPT file generated by the perl script, PowerPoint attempts to identify a node in a list for a position out of the list's bounds. "The function that should be returning a legitimate object for later use by PowerPoint instead returns NULL due to the out-of-bounds position value. This return value is not checked for a NULL value before the address is operated on as an object. The reference of this NULL object pointer is what causes the exception," added the SWI team.