Patch/Configuration Management, Vulnerability Management

No patch, just a crash for Microsoft PowerPoint flaw

One the eve of another Patch Tuesday, Microsoft revealed some good news Friday when engineers reported that a PowerPoint flaw revealed last month cannot be exploited for remote code execution.

Instead of being classified as a security vulnerability capable of compromising a user's system, the bug can only cause a PowerPoint 2003 crash and will not require a patch, according to two engineers, part of the Secure Windows Initiative team, who posted late Friday on the Microsoft Security Response Center blog.

"The PowerPoint team has developed a fix for this bug, and it will go into the next available ship vehicle for PowerPoint," the post said.

Vulnerability monitoring firm Secunia, which first labeled the flaw "highly critical" in response to Microsoft's initial advisory in early October, has downgraded the rating to "not critical."

"Originally, Microsoft stated, contrary to Secunia's internal findings, that successful exploitation could allow execution of arbitrary code," Secunia's updated advisory said. "However, Microsoft has now officially retracted this statement and concludes in thread with Secunia that it's only possible to crash the application."

The vulnerability is caused by dereferencing, or accessing the value that a reference refers to, a NULL pointer while processing a malformed PowerPoint file.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.