News

Trojan targets Microsoft PowerPoint flaw

Update: The exploit might be tied to an older flaw in Excel. Attackers who exploit the serious flaw could launch arbitrary code. Microsoft says it is investigating.

Bill Brenner
By
Published: 13 Jul 2006 12:00

Update: A serious security hole affecting Microsoft PowerPoint is being attacked in the wild by a Trojan horse, Symantec Corp.'s DeepSight Threat Analysis Team warned late 12 July.

In an email analysis to customers, the Cupertino, Calif.-based antivirus giant said it is investigating to see if the exploit is tied to the previously known Microsoft Excel style handling and repair remote code execution flaw, with PowerPoint simply being used as a new attack vector. The company has advised IT administrators to make sure regular antivirus updates are applied as it carries out its investigation.

In its advisory, the DeepSight team said it has confirmed reports of an in-the-wild attack being performed with a maliciously crafted Microsoft Office PowerPoint file. "These attacks are exploiting a previously unknown and currently unpatched vulnerability affecting PowerPoint, and possibly Microsoft Office in general," Symantec said.

The exploit arrives via email as a Microsoft PowerPoint document attachment, Symantec said. When a user launches the PowerPoint document, the vulnerability is triggered and attackers are then able to run malicious code on a victim's machine.

"The vulnerability occurs when PowerPoint handles a specially malformed .ppt file most likely exploiting an issue in the 'MSO.DLL' library file," Symantec said, adding that it has released definitions for the malicious code used in this attack. The malicious code has been identified as Trojan.PPDropper-B.

This glitch affects Powerpoint 2003 and possibly other versions, Symantec said.

A Microsoft spokesman said on 13 July that it is investigating the issue, and may issue a security advisory or a security update through its monthly patch release process if necessary.

"Microsoft is aware of extremely limited, targeted attacks exploiting this vulnerability," Microsoft said. "In order for this attack to be carried out, a user must first open a malicious PowerPoint document that is sent as an email attachment, posted to a Web site or otherwise provided to them by an attacker. On more recent versions of PowerPoint, opening the PowerPoint document out of email will prompt the user to be careful about opening the attachment."

In addition to keeping antivirus programs updated, Symantec said IT administrators can blunt the threat by:

  • Running all software as a non-privileged user with minimal access rights.

  • Deploying network intrusion detection systems (IDS) to monitor network traffic for malicious activity.

  • Not accepting or executing files from untrusted or unknown sources.

  • Not following links provided by unknown or untrusted sources.

  • Implementing multiple redundant layers of security.

    Security Wire Weekly
    For more on Microsoft's July security bulletins, listen to Qualys' Jonathan Bitle discuss the latest Microsoft Office flaws and fixes in this week's Security Wire Weekly podcast (.mp3).
    Microsoft was not immediately available for comment on the threat, which surfaced a day after the software giant released seven security updates, including one that fixed eight critical flaws in Microsoft Excel and additional flaws in Microsoft Office.

    Security experts have warned that not all known Office and Excel flaws were addressed Tuesday (.mp3).

    • Read more on Operating systems software