[ISN] Microsoft to plug PowerPoint hole

From: InfoSec News (alerts@private)
Date: Mon Jul 17 2006 - 22:46:13 PDT


By Joris Evers 
Staff Writer, CNET News.com
July 17, 2006

Microsoft is readying a fix for a zero-day flaw in PowerPoint that is 
being exploited in targeted cyberattacks, the company said Monday.

A patch is being completed and is scheduled to be released on Aug. 8, 
Microsoft's next "Patch Tuesday," the company said in a security advisory. 
The fix may be released sooner, if that is warranted, Microsoft said.

Word of the new PowerPoint flaw came last week, only a day after Microsoft 
released seven security bulletins with fixes for 18 flaws on its July 
patch day. The new PowerPoint problem could enable an attacker to gain 
complete control over a vulnerable PC, if a malicious file is opened by 
its user.

"In order for this attack to be carried out, a user must first open a 
malicious PowerPoint document attached to an e-mail or otherwise provided 
to them by an attacker," Microsoft said in its advisory.

The vulnerability affects PowerPoint 2000, PowerPoint 2002 and PowerPoint 
2003. Attacks that exploit the flaw in the presentation application are 
"limited," Microsoft said. Typically, they have to be widespread for the 
company to issue a patch outside of its monthly schedule.

Some security experts believe the timing of an attack to follow right 
after a monthly patch day is no coincidence. Microsoft typically does not 
release fixes outside of its monthly patching cycle for such flaws, giving 
miscreants at least a month to try to profit from them.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 17 2006 - 22:59:25 PDT