CVE-2009-0556
Published: 03 April 2009
Summary
CVE-2009-0556 is a high-severity Code Injection (CWE-94) vulnerability in Microsoft Powerpoint. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, as well as PowerPoint in Microsoft Office 2004 for Mac, are affected by a memory corruption vulnerability. The flaw occurs when processing a PowerPoint file containing an OutlineTextRefAtom with an invalid index value, which can be triggered during file handling and is tracked under CWE-94.
Remote attackers can exploit the issue by supplying a malicious PowerPoint document, for example via email or web download. Successful attacks result in arbitrary code execution on the target system with the privileges of the logged-in user, and the vulnerability carried a CVSS score of 8.8 reflecting network attack vector and high impact on confidentiality, integrity, and availability.
Microsoft security advisories published in April 2009 describe active in-the-wild exploitation of the zero-day issue by Exploit:Win32/Apptom.gen and outline steps for detection along with recommended protective measures for affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2009-0560
Vulnerability details
Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers…
more
memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."
- CWE(s)
- KEV Date Added
- 07 January 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Malicious-code protection mechanisms directly block or detect the specially crafted PowerPoint file containing the OutlineTextRefAtom exploit before it is processed.
Memory-protection techniques (DEP, ASLR, etc.) directly mitigate the memory-corruption primitive that enables arbitrary code execution from the invalid index value.
Flaw remediation requires prompt installation of the vendor patch that eliminates the OutlineTextRefAtom parsing vulnerability exploited in the wild.