CVE-2009-0556

What is Microsoft Office PowerPoint?

Microsoft PowerPoint is the world's dominant presentation application, part of the Microsoft Office suite. PowerPoint files (.PPT binary format and later .PPTX Open XML) are universally used for business presentations, investor decks, conference slides, and educational materials. The binary .PPT format, like other Office binary formats, contains hundreds of record types with complex parsing logic — each record type a potential target for memory corruption vulnerabilities. PowerPoint files are routinely shared via email and downloaded from the web, making malicious .PPT files an effective delivery mechanism for targeted attacks.

Overview

CVE-2009-0556 is a high-severity code injection vulnerability (CWE-94, CVSS 8.8) in Microsoft Office PowerPoint. A PowerPoint file containing an OutlineTextRefAtom record with an invalid index value triggers memory corruption during parsing, allowing arbitrary code execution when the file is opened. Patched in Microsoft Security Bulletin MS09-017 (May 2009 Patch Tuesday). Notably, CISA added this to KEV in January 2026 — 17 years after the original fix — indicating active in-the-wild exploitation of unpatched legacy Office installations in current attack campaigns.

Affected Versions

Technical Details

The vulnerability exists in how PowerPoint processes the OutlineTextRefAtom record in binary .PPT files. The OutlineTextRefAtom is a record type that references text objects within a presentation's outline structure. When parsing a file, PowerPoint uses the index value stored in OutlineTextRefAtom to look up a corresponding text object in an internal array or table.

In the vulnerable code path, PowerPoint fails to validate that the index value is within the valid range of the text object array. An attacker can craft a .PPT file with an OutlineTextRefAtom containing an index that points outside the array bounds. When PowerPoint dereferences this invalid index, it accesses arbitrary memory — potentially attacker-controlled data placed via heap spraying or other memory positioning techniques.

This memory corruption:

1. Can corrupt adjacent heap structures, redirecting function pointer or virtual table lookups
2. Through heap spray, can cause execution to jump to attacker-supplied shellcode
3. Executes with the privileges of the user running PowerPoint

The CVSS "Network" attack vector reflects the practical delivery mechanism — malicious .PPT files sent as email attachments or hosted on websites, even though exploitation occurs locally.

Discovery

Identified through security research into PowerPoint's binary format parsing code and reported to Microsoft. The May 2009 Patch Tuesday bulletin MS09-017 addressed this vulnerability alongside other PowerPoint security issues. The January 2026 CISA KEV addition indicates fresh threat intelligence showing current exploitation.

Exploitation Context

The January 2026 KEV addition for a 17-year-old vulnerability highlights ongoing risks from legacy Office software:

• Current active exploitation: CISA's KEV standard requires confirmed evidence of active in-the-wild exploitation — this is not a theoretical risk. Attackers are actively using crafted .PPT files against systems running unpatched Office versions in 2026.
• Legacy enterprise Office: Large organizations and government agencies sometimes run Office 2003/2007 on specialized systems — kiosks, isolated workstations, embedded applications — that haven't been updated in years.
• Targeted spear phishing: PowerPoint presentations are commonly used in targeted spear phishing — conference invites, investor presentations, briefing materials — crafted to appear relevant to the specific target to maximize the likelihood of opening.
• Required action wording: The KEV "apply mitigations or discontinue use" language reflects that some of these Office versions are completely past end-of-life with no vendor support path.

Remediation

1. Apply MS09-017: Ensure all Office 2000/2002/2003/2007 installations have the May 2009 Patch Tuesday update applied.
2. Upgrade to a supported Office version: Office 2003 and earlier are end-of-life. Upgrade to Microsoft 365 or Office 2019/2021 which receive ongoing security updates.
3. Enable Protected View: Modern Office versions open downloaded files in Protected View sandbox mode, preventing exploitation of parsing vulnerabilities. Confirm this is enabled for internet and email sources.
4. Block .PPT legacy format: If not required, configure email gateways to block legacy binary .PPT files; .PPTX (Open XML) has a substantially smaller parser attack surface.
5. Inventory legacy Office: Identify and urgently address any remaining Office 2003/2007 deployments, particularly in high-value environments.