Security News CISA Warns of Microsoft PowerPoint Code Injection Vulnerability Exploited in Attacks

[Brownie2019]

Content source

https://cybersecuritynews.com/microsoft-powerpoint-code-injection-vulnerability/

CISA issued a critical alert regarding a code-injection vulnerability in Microsoft PowerPoint that poses a significant risk to organizations worldwide.

The vulnerability, tracked as CVE-2009-0556, allows remote attackers to execute arbitrary code by crafting malicious PowerPoint files. Potentially compromising system security and enabling unauthorized access to sensitive data.

More here:

CISA Warns of Microsoft PowerPoint Code Injection Vulnerability Exploited in Attacks

CISA warned of a Microsoft PowerPoint flaw that attackers run malicious code through crafted files, risking system compromise and data theft.

cybersecuritynews.com

 

[Parkinsond]

Would "Block Office applications from injecting code into other processes" fix the vulnerablity?

 

[Divergent]

NIST NVD Analysis

CVE ID
CVE-2009-0556

Original Publish Date
April 3, 2009

Severity
Critical (CVSS 2.0 Score: 9.3)

Technical Root Cause
The vulnerability is a Memory Corruption error located specifically in how PowerPoint handles the OutlineTextRefAtom object. If an attacker sets an invalid index value in this object, it crashes the application in a way that allows code execution.

Affected Software
This strictly affects legacy versions (Microsoft Office PowerPoint 2000, 2002, 2003, and 2004 for Mac).

CISA KEV Catalog
Why is this news in 2026? CISA added this specific legacy CVE to the Known Exploited Vulnerabilities (KEV) catalog on January 7, 2026.

Mandate
This action forces Federal Civilian Executive Branch (FCEB) agencies to identify and patch (or remove) these legacy instances by January 28, 2026.

Implication
The addition to KEV confirms that threat actors are actively using this specific 2009 exploit right now, likely targeting organizations running obsolete software or accessing old archives.

SANS Internet Storm Center (Historical Context)
SANS archives confirm this vulnerability was originally exploited in the wild back in April 2009.

The resurgence indicates a "Zombie" threat pattern, attackers are recycling old exploits because they know organizations often neglect to remove end-of-life (EOL) software from their networks.

Recommendations (Based on NIST/CISA Data)

Hunt for "Ghost" Installations: The primary risk is not that your modern Office 365 is vulnerable (it is not), but that an old version of Office 2003/2007 is code-accessible on a forgotten server or workstation.

Action
Scan endpoints specifically for powerpnt.exe versions prior to 12.0.

Filter Binary Formats
The exploit relies on the legacy binary file structure (OLE/COM objects).

Action
Block .ppt (Pre-2007 binary format) at the email gateway. Allow only .pptx (XML format), which renders this specific memory corruption exploit ineffective.

Adhere to the Deadline
Treat the CISA deadline of January 28, 2026 as your internal deadline to verify that no legacy PowerPoint viewers exist in your environment.

 

[cartaphilus]

well if it's a PowerPoint exploit then you can say good bye to the whole DoD/DoW IT infrastructure well ok EXCEPT for the Marines because they are still on crayons.

 

[bazang]

Would "Block Office applications from injecting code into other processes" fix the vulnerablity?

Nope.

 

[Parkinsond]

Nope.

Why?

 

[Sampei.Nihira]

I wonder why use an old, risky PowerPoint when you can use LibreOffice Impress for free?
In any case, all these modules should be included in WD anti-exploit with at least 13 mitigation overrides.

 

[Parkinsond]

I wonder why use an old, risky PowerPoint when you can use LibreOffice Impress for free?

The same reason for people still using Windows 7 and not Linux distro; features and ease of use.

 

[Sampei.Nihira]

The same reason for people still using Windows 7 and not Linux distro; features and ease of use.

OK, so implement the mitigations.
And hope for the best.

 

[Parkinsond]

OK, so implement the mitigations.
And hope for the best.

Which mitigations do you suggest?
Is MD exploit protection alone enough?
Should be supplemented by MS Office ASR rules?
Would adding WDAC make any difference?

 

[Sampei.Nihira]

I cannot answer all your questions because they are contrary to my code of conduct.
As I have already written, you should never use obsolete and risky software, especially in an administrator account (you).

What mitigations should be included in WD-Anti Exploit?
The same ones used in Firefox, for example:

 

[Parkinsond]

I cannot answer all your questions because they are contrary to my code of conduct.
As I have already written, you should never use obsolete and risky software, especially in an administrator account (you).

What mitigations should be included in WD-Anti Exploit?
The same ones used in Firefox, for example:

View attachment 294931

I'm using the latest (MS Office 2024); some users cannot activate the latest; the older versions are more easily activated; they use it on air-gaped PCs usually for home productivity or some governmental sectors; the risk of execution of malicious code is remote, unless they insert infected usb drive.

 

[Sampei.Nihira]

I'm using the latest (MS Office 2024); some users cannot activate the latest; the older versions are more easily activated; they use it on air-gaped PCs usually for home productivity or some governmental sectors; the risk of execution of malicious code is remote, unless they insert infected usb drive.

If the risk is remote, the situation improves (but is not resolved) with Anti-Exploit rules.

 

[Parkinsond]

If the risk is remote, the situation improves (but is not resolved) with Anti-Exploit rules.

I get anti-exploit rules automatically applied by MD after installing MS Office.

 

[Sampei.Nihira]

I get anti-exploit rules automatically applied by MD after installing MS Office.

View attachment 294932

Yes, in fact, 1 rule against 13 = the same protection..............................

 

[Parkinsond]

Yes, in fact, 1 rule against 13 = the same protection..............................

List me the remaining 12 rules and I will apply, please.

 

[Sampei.Nihira]

List me the remaining 12 rules and I will apply, please.

It's too difficult for me to translate the rules from my language into English, I'm just a poor fisherman...
You find a way to apply these export settings.

<AppConfig Executable="C:\Program Files\LibreOffice\program\simpress.exe">
<DEP Enable="true" EmulateAtlThunks="false"/>
<ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true"/>
<StrictHandle Enable="true"/>
<ExtensionPoints DisableExtensionPoints="false"/>
<ControlFlowGuard Enable="true" SuppressExports="false"/>
<SignedBinaries EnforceModuleDependencySigning="true"/>
<Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false"/>
<ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false"/>
<SEHOP Enable="true" TelemetryOnly="false"/>
<Heap TerminateOnError="true"/>
</AppConfig>

 

[bazang]

Why?

I only got 5 minutes available so I used Big Brother AI which summarizes the key points quite well (the "What Actually Helps" section at the very end is technically correct, but also a technically difficult thing for the typical home user to do).

 

[cartaphilus]

 

[Parkinsond]

I only got 5 minutes available so I used Big Brother AI which summarizes the key points quite well (the "What Actually Helps" section at the very end is technically correct, but also a technically difficult thing for the typical home user to do).

View attachment 294941

View attachment 294942

I was not referring to blocking creating child process, I meant code injection.