Microsoft PowerPoint Malformed Record Remote Code Execution Vulnerability



Date Discovered

June 13, 2006


Microsoft PowerPoint is prone to a remote code-execution vulnerability. The issue is related to how the application processes malformed record data in PowerPoint documents. To exploit this issue, an attacker must entice a victim to open a malicious PowerPoint file. If the exploit is successful, the attacker may execute arbitrary code with the privileges of the currently logged-in user.

Technologies Affected

  • Microsoft PowerPoint 2000 SP2
  • Microsoft PowerPoint 2000 SR1
  • Microsoft PowerPoint 2000
  • Microsoft PowerPoint 2000 SP3
  • Microsoft PowerPoint 2002 SP1
  • Microsoft PowerPoint 2002
  • Microsoft PowerPoint 2002 SP2
  • Microsoft PowerPoint 2002 SP3
  • Microsoft PowerPoint 2003
  • Microsoft PowerPoint 2003 SP1
  • Microsoft PowerPoint 2003 SP2
  • Microsoft PowerPoint 2003 SP3
  • Microsoft PowerPoint 2004 for Mac
  • Microsoft PowerPoint v. X for Mac


Do not accept or execute files from untrusted or unknown sources.
This issue may be exploited with a malicious PowerPoint document. Users are advised to avoid opening any unsolicited or unexpected files, especially if they arrive from an unfamiliar source. This tactic may limit exposure to this vulnerability.

Do not follow links provided by unknown or untrusted sources.
This issue may be exploited by a malicious website. Users should be wary of visiting websites of questionable integrity, especially if solicited to do so by an untrusted or unfamiliar source.

Implement multiple redundant layers of security.
Deploy host-based intrusion-prevention systems that employ such features as memory protection. This may complicate exploitation of memory-corruption vulnerabilities by providing non-executable stacks/heaps and randomly mapped memory segments.

Run all software as a nonprivileged user with minimal access rights.
Perform all non-administrative tasks as an unprivileged user with minimal access rights. This may limit the impact of latent vulnerabilities in applications.

Microsoft has released a security bulletin and fixes to address this issue.



Discovery is credited to Nicolas Ruff, Fabrice Desclaux, and Kostya Kortchinsky of European Aeronautic Defence and Space Company, Symantec, and Dejun Meng.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.