Update: A serious security hole
affecting Microsoft PowerPoint is being attacked in the wild by a
Trojan horse, Symantec Corp.'s DeepSight Threat Analysis Team
warned late 12 July.
In an email analysis to customers, the Cupertino, Calif.-based
antivirus giant said it is investigating to see if the exploit is
tied to the previously known Microsoft Excel style handling and
repair remote code execution flaw, with PowerPoint simply being
used as a new attack vector. The company has advised IT
administrators to make sure regular antivirus updates are applied
as it carries out its investigation.
In its advisory, the DeepSight team said it has confirmed
reports of an in-the-wild attack being performed with a maliciously
crafted Microsoft Office PowerPoint file. "These attacks are
exploiting a previously unknown and currently unpatched
vulnerability affecting PowerPoint, and possibly Microsoft Office
in general," Symantec said.
The exploit arrives via email as a Microsoft PowerPoint document
attachment, Symantec said. When a user launches the PowerPoint
document, the vulnerability is triggered and attackers are then
able to run malicious code on a victim's machine.
"The vulnerability occurs when PowerPoint handles a specially
malformed .ppt file most likely exploiting an issue in the
'MSO.DLL' library file," Symantec said, adding that it has released
definitions for the malicious code used in this attack. The
malicious code has been identified as Trojan.PPDropper-B.
This glitch affects Powerpoint 2003 and possibly other versions,
Symantec said.
A Microsoft spokesman said on 13 July that it is investigating
the issue, and may issue a security advisory or a security update
through its monthly patch release process if necessary.
"Microsoft is aware of extremely limited, targeted attacks
exploiting this vulnerability," Microsoft said. "In order for this
attack to be carried out, a user must first open a malicious
PowerPoint document that is sent as an email attachment, posted to
a Web site or otherwise provided to them by an attacker. On more
recent versions of PowerPoint, opening the PowerPoint document out
of email will prompt the user to be careful about opening the
attachment."
In addition to keeping antivirus programs updated, Symantec said
IT administrators can blunt the threat by:
- Not accepting or executing files from untrusted or unknown
sources.
- Not following links provided by unknown or untrusted
sources.
- Implementing multiple redundant layers of security.
Microsoft was not immediately available for comment on the threat,
which surfaced a day after
the software giant released seven security
updates, including one that fixed eight critical flaws in
Microsoft Excel and additional flaws in Microsoft Office.
Security experts have warned that
not all known Office and Excel flaws were
addressed Tuesday (.mp3).