Executive Summary
Summary | |
---|---|
Title | Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283) |
Informations | |||
---|---|---|---|
Name | MS11-022 | First vendor Publication | 2011-04-12 |
Vendor | Microsoft | Last vendor Modification | 2011-04-20 |
Severity (Vendor) | Important | Revision | 1.1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Revision Note: V1.1 (April 20, 2011): Corrected the bulletin replacement information for the Microsoft PowerPoint Web App update (KB2520047). This is an informational change only. There were no changes to the detection logic or the update files.Summary: This security update resolves three privately reported vulnerabilities in Microsoft PowerPoint. The vulnerabilities could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The automated Microsoft Fix it solution for PowerPoint 2010, "Disable Edit in Protected View for PowerPoint 2010," available in Microsoft Knowledge Base Article 2501584, blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-0655 and CVE-2011-0656. |
Original Source
Url : http://www.microsoft.com/technet/security/bulletin/MS11-022.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-20 | Improper Input Validation |
33 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11761 | |||
Oval ID: | oval:org.mitre.oval:def:11761 | ||
Title: | Persist Directory RCE Vulnerability | ||
Description: | Microsoft PowerPoint 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate PersistDirectoryEntry records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Slide with a malformed record, which triggers an exception and later use of an unspecified method, aka "Persist Directory RCE Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-0656 | Version: | 13 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 | Product(s): | Microsoft Office PowerPoint 2002 Microsoft Office PowerPoint 2003 Microsoft Office PowerPoint 2007 Microsoft Office PowerPoint 2010 Microsoft Office Compatibility Pack Microsoft PowerPoint Viewer 2007 Microsoft PowerPoint Viewer soft PowerPoint Web App |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11978 | |||
Oval ID: | oval:org.mitre.oval:def:11978 | ||
Title: | OfficeArt Atom RCE Vulnerability | ||
Description: | Microsoft PowerPoint 2002 SP3, 2003 SP3, and 2007 SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and PowerPoint Viewer 2007 SP2 do not properly handle Office Art containers that have invalid records, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a PowerPoint document with a container that triggers certain access to an uninitialized object, aka "OfficeArt Atom RCE Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-0976 | Version: | 9 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 | Product(s): | Microsoft Office PowerPoint 2002 Microsoft Office PowerPoint 2003 Microsoft Office PowerPoint 2007 Microsoft Office Compatibility Pack Microsoft PowerPoint Viewer 2007 Microsoft PowerPoint Viewer |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12624 | |||
Oval ID: | oval:org.mitre.oval:def:12624 | ||
Title: | Floating Point Techno-color Time Bandit RCE Vulnerability | ||
Description: | Microsoft PowerPoint 2007 SP2 and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate TimeColorBehaviorContainer Floating Point records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document containing an invalid record, aka "Floating Point Techno-color Time Bandit RCE Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-0655 | Version: | 11 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 | Product(s): | Microsoft Office PowerPoint 2007 Microsoft Office PowerPoint 2010 Microsoft Office Compatibility Pack Microsoft PowerPoint Viewer 2007 Microsoft PowerPoint Viewer Microsoft PowerPoint Web App |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application |
| 7 |
Application | 1 | |
Application | 1 |
SAINT Exploits
Description | Link |
---|---|
Microsoft PowerPoint Floating Point Techno-color Time Bandit vulnerability | More info here |
OpenVAS Exploits
Date | Description |
---|---|
2011-04-13 | Name : Microsoft Office PowerPoint Remote Code Execution Vulnerabilities (2489283) File : nvt/secpod_ms11-022.nasl |
2011-02-23 | Name : Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability File : nvt/gb_ms_power_point_code_exec_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
71771 | Microsoft Office PowerPoint TimeColorBehaviorContainer (Techno-color Time Ban... Multiple Microsoft products contain a flaw related to the failure to properly validate TimeColorBehaviorContainer Floating Point records and structures in PowerPoint documents. This may allow a context-dependent attacker using a crafted PowerPoint document to execute arbitrary code. |
71770 | Microsoft Office PowerPoint PersistDirectoryEntry Processing Remote Code Exec... Multiple Microsoft products contain a flaw related to the handling of PersistDirectoryEntry record exceptions. The issue is triggered when the program uses a method derived from a malformed object created by this flaw. This may allow a context-dependent attacker to use a crafted document containing an invalid record to execute arbitrary code. |
71769 | Microsoft Office PowerPoint OfficeArt Atom Parsing Remote Code Execution Microsoft PowerPoint, Office for Mac, PowerPoint Viewer, Open XML File Format Converter for Mac and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 contain a flaw related to the parsing of external objects within Office Art containers. The issue is triggered when program accesses nonexistent methods when destroying the object while closing documents. This may allow a context-dependent attacker using a crafted PowerPoint document to execute arbitrary code. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2011-04-14 | IAVM : 2011-A-0047 - Multiple Vulnerabilities in Microsoft Office PowerPoint Severity : Category II - VMSKEY : V0026525 |
Snort® IPS/IDS
Date | Description |
---|---|
2019-09-12 | Microsoft Office PowerPoint OfficeArt atom memory corruption attempt RuleID : 50962 - Revision : 1 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37035 - Revision : 2 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37034 - Revision : 2 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37033 - Revision : 2 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37032 - Revision : 2 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37031 - Revision : 2 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37030 - Revision : 2 - Type : FILE-OFFICE |
2016-03-14 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 37029 - Revision : 2 - Type : FILE-OFFICE |
2014-01-10 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 21647 - Revision : 7 - Type : FILE-OFFICE |
2014-01-10 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 19811 - Revision : 13 - Type : FILE-OFFICE |
2014-01-10 | Microsoft Office PowerPoint OfficeArt atom memory corruption attempt RuleID : 18637 - Revision : 16 - Type : FILE-OFFICE |
2014-01-10 | Microsoft Office PowerPoint SlideAtom record exploit attempt RuleID : 18636 - Revision : 14 - Type : FILE-OFFICE |
2014-01-10 | Microsoft Office PowerPoint malformed record call to freed object attempt RuleID : 18635 - Revision : 17 - Type : FILE-OFFICE |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-12-13 | Name : Arbitrary code can be executed on the remote host through Microsoft PowerPoint. File : smb_nt_ms11-094.nasl - Type : ACT_GATHER_INFO |
2011-04-13 | Name : An application installed on the remote Mac OS X host is affected by multiple ... File : macosx_ms_office_apr2011.nasl - Type : ACT_GATHER_INFO |
2011-04-13 | Name : Arbitrary code can be executed on the remote host through Microsoft PowerPoint. File : smb_nt_ms11-022.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-03-20 21:21:09 |
|
2014-02-17 11:46:54 |
|
2014-01-19 21:30:38 |
|
2013-11-11 12:41:22 |
|