[ISN] New PowerPoint hole used in cyberattacks

From: InfoSec News (alerts@private)
Date: Fri Jul 14 2006 - 01:09:16 PDT


By Joris Evers 
Staff Writer, CNET News.com
July 13, 2006

Deja vu? Only a day after Microsoft's monthly patch day, a new security 
hole in Microsoft Office is being exploited in cyberattacks.

These attacks take advantage of a previously unknown vulnerability in 
PowerPoint for which no patch is available, security experts at Symantec 
said in an alert issued Wednesday. The flaw might affect Microsoft Office 
in general, according to the alert.

Microsoft is investigating the issue, it said in an e-mailed statement 
Thursday. The company is aware of attacks that exploit the flaw, but those 
are "extremely limited, targeted attacks," it said. For an attack to be 
successful, users must open a malicious PowerPoint file provided to them, 
for example via e-mail, Microsoft noted.

It seems like history is repeating itself. Days after last month's "Patch 
Tuesday," security experts raised the alarm on a "zero-day" flaw in 
Microsoft's Excel that was being used in targeted attacks. Microsoft 
released a fix for the Excel vulnerability on Tuesday.

Like the Excel flaw, the PowerPoint vulnerability can allow an attacker to 
gain complete control over a vulnerable PC, Symantec said. "When a user 
launches the (malicious) PowerPoint document, the vulnerability is 
triggered. Successful exploitation of this issue leads to remote code 
execution," Symantec said in its alert.

On Tuesday, Microsoft released seven security bulletins with fixes for 18 
vulnerabilities in several of its products, including many in Office. Some 
security experts believe the timing of an attack right after a monthly 
patch day is no coincidence. Microsoft typically does not release fixes 
outside of its monthly patching cycle for such flaws.

"It looks like the bad guys are waiting for the Microsoft patch days in 
order to use some more vulnerabilities in Office," said Andreas Marx, an 
antivirus software specialist at the University of Magdeburg in Germany. 
"They will now have at least one more month for their attacks."

Microsoft said it will take action to protect customers upon completion of 
its investigation into the new flaw. This may include issuing a security 
advisory or providing a security update through its monthly release 
process, the company said.

Meanwhile, the software giant left two already known security 
vulnerabilities unfixed on Tuesday. One of the flaws lies in a Windows 
component called "hlink.dll" and could be exploited by crafting a 
malicious Excel file. Another affects Japanese, Korean and Chinese 
language versions of Excel. Both flaws could completely compromise a PC if 
a targeted user opens a malicious file.

Although Microsoft was aware of the two vulnerabilities prior to the July 
security bulletin release, both issues were reported too late in the 
engineering process for the company to include security updates with the 
July release, a Microsoft spokesman said.

Proof of concept code that exploits both flaws has been released publicly 
for both of these flaws, but there are no reports of active attacks, 
Microsoft said.

"So we have two old unpatched holes and one new one," Marx said. "We're up 
to three troublemakers now. Excel and PowerPoint can be quite dangerous, 
at least until the next patch day."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Fri Jul 14 2006 - 01:20:28 PDT