1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: MS PPT Viewer TextBytesAtom RCE

Web Attack: MS PPT Viewer TextBytesAtom RCE

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects a vulnerability in Microsoft PowerPoint which may result in remote code execution.

Additional Information

Microsoft PowerPoint is a presentation application. PowerPoint Viewer lets users view presentations created in PowerPoint 97 and later versions.

PowerPoint Viewer is prone to a remote code-execution vulnerability because it fails to properly perform boundary checks on user-supplied data. A stack-based buffer overflow can be triggered when PowerPoint Viewer opens a specially crafted file containing a malformed size argument in 'TextBytesAtom' record data.

Successful exploits would allow an attacker to execute arbitrary code in the context of the currently logged-in user.

NOTE: The standalone version of PowerPoint Viewer has reached its end of life. Updates are provided to support PowerPoint 2003 users who created presentations with certain features that rely on PowerPoint Viewer.


  • Microsoft PowerPoint


The vendor has released an advisory and updates. Please see the references for details.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube