Print this article  |  E-mail this article  |  Comment on this article

New Zero-Day PowerPoint Exploit Hits

By Ed Oswald, BetaNews

August 21, 2006, 12:48 PM

A new zero-day exploit was disclosed over the weekend for an unpatched flaw in Microsoft's PowerPoint software, which could allow for an attacker to take complete control of an affected system and run arbitrary code.

Although details on the exploit are scant, it is known the malware that is distributing the exploit is a trojan horse.

It is believed that the flaw allowing for the attacks is a new vulnerability, although it may be related to some issues resolved in this month's Patch Tuesday updates. Affected operating systems include all versions of Windows, according to security researchers.

Finnish security expert Juha-Matti Laurio said that the exploit was first found last week in the wild. "The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date," he wrote in the SecuriTeam blog Sunday.

Laurio identified the name of the file reportedly distributing the exploit, TROJ_SMALL.CMZ, and said the size of the PowerPoint file delivering the offending code is 72K. A check of the top antivirus programs did not show that antivirus definition files were protecting against the exploit, although Laurio said that some may already be doing so, but have not updated their Web sites due to the weekend.

In the meantime, Laurio stressed PowerPoint users should use caution when opening up files from outside sources until a fix is provided. "These days you can't trust that the sender information included to message PowerPoint file attached is truthful," he said. "If you are not sure, you can always call to the sender if e-mail including .PPT attachments arrives unexpectedly."

As of press time, Microsoft had not yet confirmed the issue. The company regularly announces new threats to Windows and Office, and schedules a fix for the next Patch Tuesday release.

Add a Comment (24 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By templar™

edited Aug 23, 2006 - 2:05 AM

Could a BETANEWS editor update the title please?

It is now known that this is an old bug that was patched almost half a year ago.

http://news.com.com/2061-10789_3-6107998.html

Score: 0

By ds0934

posted Aug 22, 2006 - 4:30 PM

Well, I suppose we could say it's better than a -1 day exploit. :)

Score: 0

By Scotch Moose

posted Aug 22, 2006 - 1:30 PM

Someday surfing will be like surfing and less like walking barefoot in a cow pasture.

Score: 0

By PC_Tool

posted Aug 22, 2006 - 3:17 PM

.^

Someone stepped on a goatse link. ;P

Score: 0

By fewt

edited Aug 22, 2006 - 8:47 PM

.cx

heh

Score: 0

By RingMaster

posted Aug 22, 2006 - 12:20 PM

Not supposed to accept/open a binary file like Powerpoint or other Office documents from anyone without proper and adequate virus protection.

Score: 0

By callus

edited Aug 22, 2006 - 9:35 AM

Trend Micro says this is not a 0-day exploit, but exploit an old flaw (MS06-012).

“This Trojan is not a zero-day exploit. It attempts to exploit the Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability. It is seen that this Trojan has a similarity with other malware exploiting the said Vulnerability. Note that the shell code of the sample is actually located in the routing slip record. However, the shellcode does not manifest the said behavior.”

http://www.trendmicro.co...ROPPER%2EBH&VSect=T

According to Stephen Toulouse, a program manager in the MSRC (Microsoft Security Response Center), the vulnerability has already been resolved by an update.
"Our initial investigation is that this is not a new zero-day at all," Toulouse said in an e-mail exchange with eWEEK.

Score: 0

By The MAZZTer

posted Aug 22, 2006 - 12:35 AM

"In the meantime, Laurio stressed PowerPoint users should use caution when opening up files from outside sources until a fix is provided."

Or just open it in OpenOffice (etc), then you won't get infected*. :D

* - Disclaimer: I am not claiming OpenOffice (etc), are bug free, just that they do not share PowerPoint bugs and exploits, thus making any malformed PPT ineffective.

Score: 0

By davis32

edited Aug 23, 2006 - 5:32 AM

OpenOffice.org has hit back at claims that the alternative office applications suite is riddled with security holes. Researchers at the French Ministry of Defense say that OpenOffice is subject to security weaknesses that make it at least as susceptible to computer viruses as the commercial, more widely used, Microsoft Office.

The French research paper, entitled an In-depth analysis of the viral threats with OpenOffice.org documents (PDF), looked at four proof-of-concept viruses and a variety of attack scenarios before concluding that the "general security of OpenOffice is insufficient," IDG reports. Among the risks highlighted were the possibility of creating malicious macros targeting OpenOffice documents.

"The viral hazard attached to OpenOffice.org is at least as high as that for the Microsoft Office suite, and even higher when considering some... aspects," the researchers, information security specialists at the French Ministry of Defense's Signal Corps, said. Their paper is due to be published Paris-based Journal in Computer Virology.

Score: 0

By templar™

edited Aug 23, 2006 - 2:07 AM

In general, people should not assume that OpenOffice is more secure. Here: http://news.com.com/Open...100-1002_3-6105176.html

Also, to quote a CNET security blog:
"Trend Micro has now run the sample of the Trojan horse through numerous tests and concluded that it doesn't work. "We can't get it to work on any version of Windows," Perry said."

Score: 0

By mjm01010101

posted Aug 22, 2006 - 12:59 PM

SO people should just hop back and forth between office versions as the one with the least 0-days is better off?

Smoke: me want it.

Score: 0

By eclipsingdivinity

posted Aug 21, 2006 - 8:20 PM

*yawn*

Score: 0

By GCoder

posted Aug 21, 2006 - 4:06 PM

KABOOM, another zero-day exploit...

having fun in Microsux world? HAHAHA

Score: 0

By PC Rat

edited Aug 21, 2006 - 2:23 PM

...

It ain't news when it happens all the time.

BetaNews passes up ~real~ computer stories
to do stuff like this and articles on hybrid cars !

...

The Computer Rodent

...

Score: 0

By zridling

posted Aug 21, 2006 - 1:36 PM

People still use PowerPoint? Who knew!

Score: 0

By Frostek

posted Aug 22, 2006 - 6:20 AM

Only managers (with too much time on their hands) as far as I know...

Score: 0

By Joe Dirt

posted Aug 21, 2006 - 1:26 PM

This is nice. Everytime I visit Betanews.

http://img520.imageshack...g520/6554/prompthy9.png

Score: 0

By nate

posted Aug 21, 2006 - 2:16 PM

An ad image being served was password protected for some reason by one of the advertisers. They are fixing/have fixed it.

Score: 0

By Joe Dirt

posted Aug 21, 2006 - 4:45 PM

Cool deal.

Thanks. :)

Score: 0

By Metshrine

posted Aug 21, 2006 - 12:59 PM

Wow, another case of "Dont open stuff from people you dont know". If the exploit requires me to open a file from someone i dont know, then I am not worried at all about it.

Score: 0

By AaronDobbins

posted Aug 21, 2006 - 3:15 PM

But you have to look at the powerpoint slide show going around with pictures from Tiger Woods' ocean-front house and the ruler of Dubai's palace. How can you resist? :)

Score: 0

By mjm01010101

posted Aug 21, 2006 - 1:31 PM

As mentioned, it can "come" from someone you "do" know, so the advice is silly.

I think I've gotten about 1 powerpoint file from an external source in my life? the files really aren't e-mailed that often between companies/domains.

Score: 0

By Metshrine

posted Aug 22, 2006 - 10:27 PM

If someone I know gets me infected then any further communications, via email, will be halted. Quite simple.

Score: 0

By MBA

edited Sep 9, 2007 - 3:00 AM

>If someone I know gets me infected then any further communications, via email, will be halted. Quite simple.

I just now opened an email from 2006 while cleaning out my mailbox
(subj: The house that Golf Built

It was from my Grandmother, for god's sake...
So one year later, and I have this virus???

Brand new system, not sure what do I do.
If safe, please (email) & let me know.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal