CVE-2010-2572

What is Microsoft PowerPoint?

Microsoft PowerPoint is the presentation application component of Microsoft Office, used globally by millions of people to create and deliver slideshows. PowerPoint supports a complex binary file format (PPT, the Office 97-2003 format) that encodes slide content, animations, embedded objects, VBA macros, and metadata in a structured binary stream. The PPT format's complexity — developed over two decades with numerous extensions and format versions — made it a recurring source of memory safety vulnerabilities throughout the 2000s and 2010s. A specially crafted PPT file could trigger parser vulnerabilities when opened in PowerPoint, making malicious presentations a reliable vehicle for targeted spear phishing attacks.

Overview

CVE-2010-2572 is a high-severity buffer overflow vulnerability (CWE-120, CVSS 7.8) in Microsoft PowerPoint's handling of the legacy PowerPoint 97-2003 (.ppt) file format. A specially crafted presentation file triggers a buffer copy without size validation, allowing remote code execution when the file is opened. Microsoft patched this vulnerability in Security Bulletin MS10-088 as part of the November 2010 Patch Tuesday release. CISA added to KEV in June 2022, reflecting continued exploitation of legacy Office installations.

Affected Versions

Note: PowerPoint 2007 and later versions were not affected by this specific vulnerability due to revised file parsing code and the default use of the Open XML (.pptx) format.

Technical Details

The vulnerability (CWE-120: Buffer Copy without Checking Size of Input) exists in PowerPoint's parsing of the legacy PPT binary format. The PPT format organizes content as a series of records — each with a type identifier, length field, and data payload. The vulnerable code path processes certain record types in a way that copies data into a fixed-size buffer without validating that the source data length fits within the buffer bounds.

When a crafted PPT file is opened, the PowerPoint parser reads a record with an inflated length value or unusually structured data. The unchecked buffer copy writes beyond the buffer's bounds, overwriting adjacent stack or heap memory. With suitable control over the overwritten data, an attacker can redirect execution to injected shellcode.

The Local attack vector (AV:L) in the CVSS score reflects that the PPT file must be present on the local filesystem — but delivery via email attachment or web download is trivial. The User Interaction Required (UI:R) reflects that a user must open the malicious file.

Discovery

Discovered during vulnerability research into the PowerPoint PPT binary format. The vulnerability was reported to Microsoft and addressed in MS10-088, which also fixed CVE-2010-2573 (a separate PowerPoint vulnerability). The November 2010 Patch Tuesday timing reflects standard Microsoft coordinated disclosure for vulnerabilities that did not have confirmed in-the-wild exploitation before the patch.

Exploitation Context

PowerPoint vulnerabilities were a consistent component of targeted attack campaigns in this era:

• Spear phishing delivery: Malicious PPT files attached to targeted emails were a common first-stage attack in nation-state campaigns against government, defense, and financial targets. A convincing presentation deck from an apparent colleague or conference was a reliable social engineering lure.
• Legacy format targeting: The PPT (Office 97-2003) format remained in widespread use long after Office 2007 introduced the Open XML format. Many organizations used "Save in Compatibility Mode" to share files with users running older Office versions, keeping the vulnerable parser active.
• Office document exploitation ecosystem: PowerPoint vulnerabilities were packaged alongside Word and Excel exploits in targeted attack toolkits, providing attackers with multiple delivery mechanisms depending on what Office versions and file extensions their targets were likely to open.
• KEV addition context: CISA's June 2022 addition reflects confirmed exploitation of this 12-year-old vulnerability against organizations running unpatched legacy Office installations — particularly common in environments that had not migrated from Office 2003.

Remediation

1. Apply MS10-088: Install the November 2010 Patch Tuesday security update for affected PowerPoint versions.
2. Upgrade Microsoft Office: Office 2002 and 2003 are long past end-of-life. Upgrade to Office 2019, Office 2021, or Microsoft 365.
3. File format restrictions: Configure Office applications to warn or block when opening legacy PPT format files (File > Options > Trust Center > File Block Settings).
4. Protected View: Office's Protected View sandbox opens files from the internet and email in a restricted mode — ensure Protected View is enabled for internet-sourced and email-attached files.
5. Disable macros: Configure Group Policy to block VBA macros in Office files from the internet, removing a common companion attack vector.