New Zero-Day PowerPoint Exploit Hits

By Ed Oswald | Published August 21, 2006, 12:48 PM

A new zero-day exploit was disclosed over the weekend for an unpatched flaw in Microsoft's PowerPoint software, which could allow for an attacker to take complete control of an affected system and run arbitrary code.

Although details on the exploit are scant, it is known the malware that is distributing the exploit is a trojan horse.

It is believed that the flaw allowing for the attacks is a new vulnerability, although it may be related to some issues resolved in this month's Patch Tuesday updates. Affected operating systems include all versions of Windows, according to security researchers.

Finnish security expert Juha-Matti Laurio said that the exploit was first found last week in the wild. "The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date," he wrote in the SecuriTeam blog Sunday.

Laurio identified the name of the file reportedly distributing the exploit, TROJ_SMALL.CMZ, and said the size of the PowerPoint file delivering the offending code is 72K. A check of the top antivirus programs did not show that antivirus definition files were protecting against the exploit, although Laurio said that some may already be doing so, but have not updated their Web sites due to the weekend.

In the meantime, Laurio stressed PowerPoint users should use caution when opening up files from outside sources until a fix is provided. "These days you can't trust that the sender information included to message PowerPoint file attached is truthful," he said. "If you are not sure, you can always call to the sender if e-mail including .PPT attachments arrives unexpectedly."

As of press time, Microsoft had not yet confirmed the issue. The company regularly announces new threats to Windows and Office, and schedules a fix for the next Patch Tuesday release.

Comments

View comments by with a score of at least

Could a BETANEWS editor update the title please?

It is now known that this is an old bug that was patched almost half a year ago.

http://news.com.com/2061-10789_3-6107998.html

Score: 0

|

Well, I suppose we could say it's better than a -1 day exploit. :)

Score: 0

|

Someday surfing will be like surfing and less like walking barefoot in a cow pasture.

Score: 0

|

.^

Someone stepped on a goatse link. ;P

Score: 0

|

.cx

heh

Score: 0

|

Not supposed to accept/open a binary file like Powerpoint or other Office documents from anyone without proper and adequate virus protection.

Score: 0

|

Trend Micro says this is not a 0-day exploit, but exploit an old flaw (MS06-012).

“This Trojan is not a zero-day exploit. It attempts to exploit the Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability. It is seen that this Trojan has a similarity with other malware exploiting the said Vulnerability. Note that the shell code of the sample is actually located in the routing slip record. However, the shellcode does not manifest the said behavior.”

http://www.trendmicro.co...ROPPER%2EBH&VSect=T

According to Stephen Toulouse, a program manager in the MSRC (Microsoft Security Response Center), the vulnerability has already been resolved by an update.
"Our initial investigation is that this is not a new zero-day at all," Toulouse said in an e-mail exchange with eWEEK.

Score: 0

|

"In the meantime, Laurio stressed PowerPoint users should use caution when opening up files from outside sources until a fix is provided."

Or just open it in OpenOffice (etc), then you won't get infected*. :D

* - Disclaimer: I am not claiming OpenOffice (etc), are bug free, just that they do not share PowerPoint bugs and exploits, thus making any malformed PPT ineffective.

Score: 0

|

SO people should just hop back and forth between office versions as the one with the least 0-days is better off?

Smoke: me want it.

Score: 0

|

In general, people should not assume that OpenOffice is more secure. Here: http://news.com.com/Open...100-1002_3-6105176.html

Also, to quote a CNET security blog:
"Trend Micro has now run the sample of the Trojan horse through numerous tests and concluded that it doesn't work. "We can't get it to work on any version of Windows," Perry said."

Score: 0

|

OpenOffice.org has hit back at claims that the alternative office applications suite is riddled with security holes. Researchers at the French Ministry of Defense say that OpenOffice is subject to security weaknesses that make it at least as susceptible to computer viruses as the commercial, more widely used, Microsoft Office.

The French research paper, entitled an In-depth analysis of the viral threats with OpenOffice.org documents (PDF), looked at four proof-of-concept viruses and a variety of attack scenarios before concluding that the "general security of OpenOffice is insufficient," IDG reports. Among the risks highlighted were the possibility of creating malicious macros targeting OpenOffice documents.

"The viral hazard attached to OpenOffice.org is at least as high as that for the Microsoft Office suite, and even higher when considering some... aspects," the researchers, information security specialists at the French Ministry of Defense's Signal Corps, said. Their paper is due to be published Paris-based Journal in Computer Virology.

Score: 0

|

*yawn*

Score: 0

|

KABOOM, another zero-day exploit...

having fun in Microsux world? HAHAHA

Score: 0

|

...

It ain't news when it happens all the time.

BetaNews passes up ~real~ computer stories
to do stuff like this and articles on hybrid cars !

...

The Computer Rodent

...

Score: 0

|

People still use PowerPoint? Who knew!

Score: 0

|

Only managers (with too much time on their hands) as far as I know...

Score: 0

|

This is nice. Everytime I visit Betanews.

http://img520.imageshack...g520/6554/prompthy9.png

Score: 0

|

An ad image being served was password protected for some reason by one of the advertisers. They are fixing/have fixed it.

Score: 0

|

Cool deal.

Thanks. :)

Score: 0

|

Wow, another case of "Dont open stuff from people you dont know". If the exploit requires me to open a file from someone i dont know, then I am not worried at all about it.

Score: 0

|

As mentioned, it can "come" from someone you "do" know, so the advice is silly.

I think I've gotten about 1 powerpoint file from an external source in my life? the files really aren't e-mailed that often between companies/domains.

Score: 0

|

But you have to look at the powerpoint slide show going around with pictures from Tiger Woods' ocean-front house and the ruler of Dubai's palace. How can you resist? :)

Score: 0

|

If someone I know gets me infected then any further communications, via email, will be halted. Quite simple.

Score: 0

|

Google Chrome 4: Yes, it's fast, but is it usable?

As Betanews readers have responded to our stories about Chrome's JavaScript superiority...Does that mean we'd actually use this browser? Well...

Video: Netflix on PlayStation 3

Netflix has come to the PlayStation 3 via Blu-ray and BD-Live.

Verizon Wireless launches new Android, Chocolate, and ruggedized phones

The lower-priced Eris joins the Droid, while the Chocolate gets a touchscreen and more music playback.

Early sales figures for Windows 7 nicely high, but do we know why?

Fans of triple-digit surges in figures quoted by Betanews will love this one, as it appears Microsoft rediscovered how to pull off a software launch.

Myka announces its latest Linux-based 'net top box'

Myka's ION brings Boxee, XMBC, and much more to HDTVs.

What hath Mac wrought? A remembrance after a quarter-century

The reason there's a Macintosh today is not because of some brilliant flash of engineering genius, but because Apple had the audacity to learn from its mistakes.

Early build of Moblin 2.1 improves connectivity, but not device support

The Linux Foundation's Atom-centric OS yesterday received a major overhaul with the project release of Moblin 2.1 for netbooks and nettops.

The iPhone's China syndrome: Sales of 5,000 and climbing

There's actually a country where Apple's device is not a godsend, where sales can be measured in the dozens.

New European counterpart to FCC will ensure 'a more neutral net'

Late Thursday night, the ruling telecom administrators of the EU's member nations signed away their final authority to a new entity overseen by the EC.

Sophos study suggests Windows 7 UAC's default setting is self-defeating

Without any anti-virus installed, a Sophos test showed, User Account Control was only capable of thwarting just one malware package out of ten samples chosen.

Indiscreet tweet trips awareness of Web SSL vulnerability

A group of high-level security engineers had been making progress on thwarting a low-level threat to the Web, until somebody blurted it all out on Twitter.