MS09-017: An out-of-the-ordinary PowerPoint security update

Security update MS09-017 addresses the PowerPoint (PPT) zero-day vulnerability that has recently been used in targeted attacks. We issued security advisory 969136 with workarounds on April 2nd after we first saw the exploits in-the-wild abusing this vulnerability.  We also published an SRD blog entry describing how to analyze exploits and an MMPC blog entry with more details about the exploits we had seen. Now the security update is ready for you to install. This update has a few differences compared to previous Office security updates that we’d like to make sure you understand.

First, the security update for the Windows versions of Office was ready ahead of our planned release schedule. The Mac version of Office is affected but the packages are still in testing so we are “going live” today with Windows packages only. We normally do not update one supported platform before another but given this situation of a package available for an entire product line that protects the vast majority of customers at risk within the predictable release cycle, we made a decision to go early with the Windows packages. We will revise the security bulletin when the Mac packages are available. None of the PPT exploit samples we have analyzed will reliably exploit the Mac version so we didn’t want to hold the Windows security update while we wait for Mac packages. We are still hard at work on the Mac package testing.

The next interesting difference from our usual Office updates is that MS09-017 dramatically reduces the attack surface. The Office team is making a smart choice to remove support for the very old PowerPoint 4 converter (PP4X322.DLL) with this security update. “PP40” files cannot even be created anymore with Office XP, Office 2003, or Office 2007 and has not been the default format for many years. Office 2007 and Office 2003 SP2 and SP3 have already removed support for this file format so we are backporting that attack surface reduction down-level with this security update. If you really, really, really need to open a PowerPoint 4 file that you trust to not be malicious, we suggest you temporarily re-enable it with this regkey, open the file, save the file in a newer format, and immediately disable the older format again. This is the best way to limit the risk to which you expose your system.

And one final note about this update is regarding the 14 vulnerabilities addressed by this bulletin. We are addressing a number of PowerPoint converter cases by removing support for the format (PP40). Others were addressed by back-porting the latest Office 2003 SP3 converter code down-level to Office XP and Office 2000. For example, PP7X32.DLL has gone through extensive changes, addressing the externally-reported vulnerabilities listed in the bulletin but also introducing substantial hardening to the parsing engine. We hope that by doing this comprehensive update and by proactively addressing security vulnerabilities, we reduce the risk and help protect our customers from future vulnerabilities.

Lastly, only one CVE (CVE-2009-0556) is known to be publicly-exploited based on our telemetry but we’re eager to release fixes for all the vulnerabilities reported. This update significantly hardens all versions of PowerPoint and we really encourage you to apply it as soon as possible!

Jonathan Ness, MSRC Engineering

*Postings are provided “AS IS” with no warranties, and confers no rights.*