News
News
7/13/2006
02:36 PM
50%
50%

New Zero-Day PowerPoint Attack Under Way

There's more bad news for Office users. An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited.

An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users.

According to the Cupertino, Calif. security vendor's threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the "zero-day" attack is successful, the hacker gains complete control of the compromised computer.

The attack is carried out by a Trojan horse with the moniker "PPDDropper.b," which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed "Bifrose.e" by Symantec. Bifrose.e then injects a malicious routine into Windows' EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document.

"The attackers are trying to slide under the radar," said David Cole, the director of Symantec's security response center. "Once they get onto a PC, they think if they delete the infected file there's less chance of getting caught.

"They're trying to get rid of the evidence, throw away the crowbar they used to wedge the door open," Cole added.

That part of the process is identical to one used last month by a now-patched Excel attack. In fact, said Cole, there were several other similarities between the Excel and PowerPoint exploits.

"Both use a two-step attack, a dropper Trojan and a backdoor," he said. "Both were launched by messages written in Chinese."

The similarities led Cole to believe that the two attacks could be the work of the same group. "That's as much as we could say, though, at this point."

Unlike the Excel bug, the PowerPoint flaw -- confirmed only in PowerPoint 2003 thus far -- remains open to attack. Microsoft issued three security updates Tuesday to fix various versions of Office and its applications, but the Thursday bug was not among the 13 flaws patched.

Microsoft's Office suite has faced a number of attacks and owned up to numerous vulnerabilities in the last two months. In May, a serious bug in Microsoft Word was used in by hackers to target one or more corporations. During June, several flaws were disclosed in the suite's Excel spreadsheet.

"The attention to Office underlines the shift toward target attacks," Cole said. "If espionage and data theft are why attacks take place, what format is that data in? Microsoft Office. It's really that simple."

Symantec advised users to avoid opening PowerPoint documents received via e-mail until a patch was issued by Microsoft; its researchers also told users to consult the mitigation tactics laid out in the MS06-038 security bulletin posted Tuesday on the Microsoft Web site.

Microsoft did not immediately respond to a request for confirmation from its Security Response Center (MSRC).

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.