By Carsten Eiram
Strap yourself in people for it's time to blog a bit about the most interesting of the 27 analyses issued by the Secunia Binary Analysis Team in May.
Yet again, I've decided to do things differently. I'm planning on ranting quite a bit about the large number of PowerPoint vulnerabilities reported this month and since a) I don't want to write a long blog and b) most of you wouldn't care for reading one anyway, I'm going to focus solely on the PowerPoint vulnerabilities and just quickly list the other analyses of particular interest:
Adobe Reader "spell.customDictionaryOpen()" Memory Corruption (SA34924 / CVE-2009-1492)
Adobe Reader for Linux "getAnnots()" Memory Corruption (SA34924 / CVE-2009-1492)
Sun Solaris "sadmind" Buffer Overflow Vulnerability (SA32473 / CVE-2008-3869)
Sun Solaris "sadmind" Integer Overflow Vulnerability (SA32473 / CVE-2008-3870)
Mozilla Firefox "nsTextFrame::ClearTextRun()" Memory Corruption (SA34866 / CVE-2009-1313)
Safari WebKit SVGList Object Handling Memory Corruption (SA35095 & SA35056 / CVE-2009-0945)
With that list out of the way, on we go to discuss the PowerPoint vulnerabilities.
Microsoft PowerPoint Multiple Vulnerabilities (SA32428)
Even though Microsoft only issued a single security bulletin this month, it covered a lot of vulnerabilities. One of the fixed vulnerabilities was for a PowerPoint 0-day vulnerability (CVE-2009-0556) for which we issued a BA back in April so we'll ignore this one.
In total, Secunia issued 14 analyses solely for the reported PowerPoint vulnerabilities. A couple of these covered vulnerabilities in PowerPoint itself (including a reliably exploitable vulnerability reported by Secunia Research) and in the PowerPoint 95 translator.
However, most of the analyses cover various types of errors in the translator for PowerPoint 4.0 files and we were honestly surprised once we started to dig around in the translator to analyse the reported vulnerabilities.
First, we noticed a lot of vulnerabilities, which were not related to sound data parsing even though many of the security bulletin descriptions stated that vulnerabilities were related to this. Either we found a lot of new vulnerabilities during analysis or the descriptions in the security bulletin are not completely accurate. More interesting than this was, however, the (lack of) code quality in the translator.
We've been pulling apart Microsoft products for many years now to either analyse reported vulnerabilities or find new ones. Overall, I reckon that Microsoft with their security initiative has come a long way to weed out many of the classic and obvious vulnerabilities that we still see way too many of in software from a lot of other vendors. It's therefore interesting to come across a component like this translator where the code is so terrible that apparently neither internal nor external security researchers have really given it a proper audit before.
Considering this, it was not surprising that Microsoft gave up on attempting to fix all the problems in the PowerPoint 4.0 translator, but instead just disabled default support of these files (along with certain other legacy file formats). Even though support can be re-enabled via a registry key, it is strongly recommended that administrators refrain from doing so as many of these vulnerabilities are straight-forward to exploit.
Since I haven't uploaded a Binary Analysis to the sample page in a while, I thought I'd make it up and do so this month. You can therefore find one of the Adobe Reader for Linux analyses on our Binary Analysis sample page for your viewing pleasure.
Chief Security Specialist