May 2009 Bulletin Release

Summary of Microsoft’s monthly security bulletin release for May 2009.

Today we released one security bulletin, MS09-017, affecting our PowerPoint products. This update addresses several vulnerabilities including the issue described in Microsoft Security Advisory 969136. In that advisory, we noted that we were aware of limited, targeted attacks.

The security of our customers is important to us and due to these active attacks, we have released the updates for one product line (all versions of Microsoft Office for Windows) so that the majority of our customers can protect their systems. We are able to do this because the updates were ready within the predictable release cycle for the entire product line. Updates for the additional products (Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Open XML File Format Converter for Mac, Microsoft Works 8.5 and Microsoft Works 9.0) will be released when testing is complete and we can ensure high quality. When ready, we will revise the bulletin and notify customers.

Risk and Impact

To help with risk assessment and impact analysis, Microsoft provides detailed information in the vulnerability information section of the bulletin as well as the Exploitability Index. The aggregate severity of the bulletin is critical and we give it a 1 on the Exploitability Index which means consistent exploit code is likely (and indeed already in the wild for one vulnerability in this update). Of the 14 vulnerabilities being addressed, there are some things to note:

  • We are only (currently) aware of active attacks against CVE-2009-0556.
  • We are not aware (currently) of any active or reliable exploits of CVE-2009-0556 against affected versions of Office for Mac.
  • Microsoft Office 2007, Microsoft Office 2008 for Mac, Microsoft Office PowerPoint Viewers, and Microsoft Works versions 8.5 and 9.0 do not contain the CVE-2009-0556 vulnerability.
  • When we released Microsoft Security Advisory 969136 on April 2, 2009, both the Security Research & Defense and the Microsoft Malware Protection Center (MMPC) teams posted analysis to their blogs. This information provides valuable insight in to the active exploits.
  • The bulletin is rated critical only for Microsoft Office PowerPoint 2000 SP3. All other versions have an aggregate rating of important.
  • The only vulnerability that affects all products in the affected products list is CVE-2009-0224. This vulnerability was responsibly disclosed, is rated critical on Microsoft Office PowerPoint 2000 SP3 and important for all the other affected products.

Mitigations and Workarounds

For mitigations and workarounds, I will simply reiterate the information previously stated in the Security Research & Defense blog:

There are a couple workarounds you can apply in your environment to protect yourself from potential attacks. If your environment has mostly already migrated to using PPTX, you can temporarily disable the binary file format in your organization using the FileBlock registry configuration described in the MS09-017 security bulletin. Alternatively, you can temporarily force all legacy PowerPoint files to open in the Microsoft Isolated Conversion Environment (MOICE). The steps to enable MOICE are listed in the MS09-017 security bulletin.

More Information

In the following 8 minute video, I sit down with Adrian Stone from the MSRC to cover this release in a little more detail:

Get Microsoft Silverlight More viewing & listening options:

As always, our friends in the MSRC have provided further analysis in the Security Research and Defense blog so have a look at that and if you have questions, please join us for our regular live webcast tomorrow (Wednesday May 13, 2009) at 11:00 am PDT (UTC –7). Click HERE to register.

On the malware front, the Microsoft Malware Protection Center (MMPC) has added two new items to the Malicious Software Removal Tool (MSRT): Win32/Winwebsec and Win32/FakePowav.B. Customers can download the Malicious Software Removal Tool (MSRT) here. Additional details can also be found on the Microsoft Malware Protection Center blog.


Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*