RealTime IT News

PowerPoint, IE Hit By New Zero-Day Flaws

Software giant Microsoft is investigating yet another zero-day flaw attacking its Office suite of applications.

The attacks target a vulnerability in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft PowerPoint 2004 for Mac and Microsoft PowerPoint 2004 v.X for Mac, according to a company spokesman.

Craig Schmugar, virus researcher with McAfee Avert Labs, told internetnews.com that the latest PowerPoint attack exploits a buffer overflow flaw enabling a hacker to plant a Trojan.

The Trojan silently runs an .EXE file, which installs two .DLL files that operate as backdoors. The backdoors then post information entered in Internet Explorer to an outside Web site, according to McAfee.

The limited number of victims, combined with the fact that the two sites that were receiving information seem to have fallen silent, caused both McAfee and Microsoft to say the attack is a limited risk.

Microsoft said an attacker would need to convince a user to open a malicious PowerPoint file.

The software maker also released a security advisory suggesting PowerPoint users employ PowerPoint Viewer 2003.

News of an undisclosed vulnerability in PowerPoint has prompted an investigation into what Schmugar believes could be a case of computer spying.

"Probably government espionage is behind it," Schmugar said.

The belief that a foreign government may be behind the attacks comes from a narrow focus: an aerospace worker and the use of Office, a frequent entry point for hackers.

"The reality is we've been seeing zero-day attacks for three months now," Schmugar said.

Schmugar said this PowerPoint exploit is unlike a zero-day VML exploit, which prompted Microsoft to release an out-of-cycle patch it deemed "critical."

The VML flaw spread rapidly, used by criminals to attack thousands of systems and threaten the personal information of Internet users.

Microsoft said it will take "appropriate steps," including providing an out-of-cycle update instead of waiting for the scheduled Oct. 10 patch release date, according to a statement.

"Obviously they need a fix," Schmugar said. While Microsoft will have to weigh the impact of an out-of-cycle patch on its users, a patch needs to be developed to address the PowerPoint vulnerability, the researcher said.

Microsoft was unaware of yet another zero-day flaw allowing attackers to gain system control.

US-CERT said Microsoft has not issued a patch fixing an integer overflow vulnerability in the WebViewFolderIcon ActiveX control used by IE and Windows.

The security organization recommends users either disable the ActiveX control, render e-mail as plain text and do not follow links in e-mail.