Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Confirms PowerPoint Zero-Day Attack



 By: Ryan Naraine
2006-07-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A previously unknown software flaw in the widely used Microsoft Office presentation program is being used in targeted attacks traced to China.

First Word, then Excel, now PowerPoint.

For the third time in two months, a zero-day vulnerability in a widely used Microsoft Office software application is being used in targeted hacker attacks.

The latest attack exploits a previously undocumented flaw in Microsoft PowerPoint, the ubiquitous presentation program used by millions of users around the world.

Resource Library:

The attack comes just days after Microsofts July Patch Tuesday and closely mirrors the situation in June when a zero-day Excel attack was discovered 24 hours after Patch Day.

Virus hunters at Symantec linked the zero-day attack to a Trojan horse program called Trojan.PPDropper.B that arrives via e-mail from a Gmail address.

The subject line of the mail and the .ppt file-name are in Chinese characters, suggesting that the attacks are emanating from—and attacking targets—in the Far East.

If the PowerPoint attachment is opened, the Trojan drops and executes a variant of Backdoor.Bifrose.E, a keystroke logger that is used to steal sensitive information and send it back to a remote server controlled by malicious hackers.

The Trojan also injects a malicious routine into the EXPLORER.EXE process that overwrites the malicious PowerPoint file with a new clean copy of the document.

Anti-virus researchers believe this tactic is used to wipe traces of the computer breach.

A Microsoft spokesman described the attack as "extremely limited."

"In order for this attack to be carried out, a user must first open a malicious PowerPoint document that is sent as an e-mail attachment, posted to a Web site or otherwise provided to them by an attacker.

"On more recent versions of PowerPoint, opening the PowerPoint document out of e-mail will prompt the user to be careful about opening the attachment," the spokesman said in a statement sent to eWEEK.

The company is expected to issue a prepatch security advisory with guidance and workarounds to help customers block potential attacks.

According to Symantecs advisory, the PowerPoint flaw affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Confirms PowerPoint Zero-Day Attack
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xv8 |NJ5]kv;:%e[jKoP$$LjR5=_nZhKN*m@ 6}Aȹ3!)ٟЧGo-zIj}݇@AezNULsJԶn\7n[3P/a᳙(,Q  tjOt0]2dԵk6!gekO/cߨX`&`1\lTl@!j:i?xi='@Ib(#ѺC(Dߵ-m:]'|w*UFn3p{a_ʞz5ExLԸ#|x\'gϏ>0{/<Pcw̪Ҵ?7Sա*v25v+n /@Z#\DȁYBnh=7d7|#25ARZB[4HGmCc7`pm׃)KTQ3c}fݳt#Գƀu|ף&[!&$f v?ƭ M+.l5ZJP0'C8:)xC'ס,nO`uؾxsyHn.j.9bcm ͻS @2zz`N8,2踞þʲnMwͰ-&@6#M-jZUQ bkG╻o[BU;ƨUMSEsˑGA GnGp[J^׵V\u~nGkr  + o%&W JDTRBh$" Pc@G'I_:H5}(D~7B-b)ڑVP\GFZ<,"J3zĢJ >gSKrо]um2h_uڧH>߈ekby1=b Jw#=Z׋%uսi?wN}$/#t6 +?[8V'_ZUկ7#?~f[dPp9LwjTH ?'/6Vy$Y.rk"8\CJ ݖeL_ȻD\KŗG)H73ǚ-4ɌcPu t:9CsfZ[cW)MXRƒ t$υu[ϝ5Hr Ca)#p?S%Wi8@r5XSl \MF4x O2X U >hI,E[!fT}N}%I Fq\l8d(n)sɹsP& z5I#ˋƠ` V<2/?뇾fxs݀§P}-f`sDo뷺e#0(sx??k1 %@H@t"BђF 4  gscX"K"'@@7;.VKŤ\*1=Ri !swRTD;7քbZ z)0 eVRiG0-&D7r"e.G7Kᙖ6F=okVy y=0gГj G議C`VaNg43aJ[6 }~؄>vļZBfaT5Clq-Z ;vm۽ sq,bj\X"~o©5z6|*j0FBċV8l^;,1r]ilu0q`* Z3:sGV*7ی;$!UTmDq" ֚p성 .c*O|=vG0$u`n̂_HE"}[pp\U.(L0:Jr2b,X[TB$f6t_܀bIt?a1:C>5z_=2dB4^UYf"{LRT j%F8:*GERWt~ǼOԀA_A~f -4/~QjCzMp`>s@.μ + '2E<&&{#KXeX}Ft!/cԧ8HȺU0UESUG++؝?F]h6B\4<}gS5 pfnWQ=KkjXX'RO.x[z6Gs- 9^R˶(SL @(8u|[9(W` >6z0fƏQafY[ ສTjՂʾEUXY :iw3 9 ~'H y V9y^%fR+a1o-*=靬Qm(}To_@7W$kj VRRXU@V_A ұg / _wn/<]٘i }SU!ӔRe ɢ)6VCiB/ex.]c>/ci)TGEXqkX #=ϼ +(U|dy5"QrEuY |&ŏhȇUrmv=C~ =բ,AEUPU(V $ ~Vp8*h6Y+#t0/7" ނbl ezפ\+J&厈¸_vG^Iўb2aϙJw޼܀8P~u$,+1Up]t3Mc> h ztS6ndULJZZ$|p` N @WqT*LrfWϊ^\~;l `yAr+{!\4>v.ŗtO+~Jw.R1A'y2#&<|m6!>48rEQG$M "a]Zqn}z}HiR'DZ3pq*d hwlj9l0`&0!9˫|1{~U*۞ #H1Ń O~ؑq eީӊN|u +KׅNo͗!WC1k{R̵jПd#AI=gw;}T>eNx>IАZ=p>愜00;~7rO0>R8i?{}pҾ2CWqk:+@^l"$$yUZFVU3$]e% >Yx2M3}վJfzӼ2iAxl3O7nC\pb_#1o~=ϸ2]a*w}o}VZtCqD &x/.)%eu@OKtG]_Q{O{[#60N Ħwsgcgf7XcŸց!{ Rf':滜;a!3̑ +Ӡ5m.s$;gr0G c*yx\[w5&P)<A~A< v4)[˷x:z}in;d⫆ܖ~@F' zYOXW+O*[QVD3=9dVQi9 ӏvZvCWH&*qHMl+~_n&%KR$埇]qx!q/.+q=KnI$M`mE&J\o8BG#TZ!>B1eCErדg0l 7ӼXI|Ʈ1 ˥ cn&HC/6;8c`6 &GVQJ9Պ&YjR;pEMzS<͐O c.ޤs;QBt^ZrK#ϑyN =~¶,bťzH d̮lěd%.GޕMAu mM# 0)RIB*![iGd.H0$`" }0A?/%D>⿇|@)ҔLzs d4-B|p\RJV}<ΖAKiHq|{փtjT bWt JW}0pXH,)I+nKa##t?p:%;/0P _af@KDq^ L!0#LhCL'ע*l3Nw(-E_^ ֛=HǔUv8JL'!C!R_ 8;b!'Re[Z*- Vb *i:])f@NrI+K[, 8H'!8 rz"Ve6nT}GGU%uk3cā~̉G3j$ ERR3DѶǻU$mkSyEgUrV…I؛8{*:֏H]g*)Mv޵S>I8pqs7777䫸&zk2I/ MʫNz՞Qe\R?d~ . dk[T*jJmI)^QLOHxFd؂$Z`6fVk$"t/eKJ|17$|i5+0҅nHJGݻl$RIZT)!5kx 6:|#$Zg|[R^wi7K-S-:(@&ڬs1tۖղZP7Pb3(@ JP€2d@2Bd=I'%_Zl[1kH'7wŭ5^K#(BA$ poL8xtn9+w(9vz.[LI +RSeAx {WwJUT*V3ADx# #1"YcD4^ lJ@j7Xof!nI/k=}g/;L‘zx /u[R1 `;bl^Cd9"@ \B}ZhΖSyTC&yeUq cX4GJDyL0LjPo'@\+lQQ6JD)}.Iޘ}mnnz./ qgk~----ev-Ge_s#[ +˿ax(qF >u B|#awaC`_youGvmk+W/0:@eă/ZT:s r@M,0*@jMk6[w<1'3!@ >'RK!#uSekH8dނtBĵ3ɂbd# ?X]_fK&ʎhVk{N#:RI-IAŽfY;)%6 @b7^9$!# =U;.B4<Ʈo*n؝yAכHEVcf2a 1<@ B$`y6.ؾ$7(~ҸMbh97xfXqGĘH$;`OgM|qAu<Òw4al#(eG-LI޼x"y JOykk/L|:,Wa$}*U?n#t) ţ!{6Tk~mYLM֜fFRs Zߦ m_mLT(V_&U6e#{tҕlJY2VC|_~_+-gzc~2H@85Q/NlHD(&w 8c[[Ƴ@Ćc  &tMzDkJMu-E ~3^"Ҷ- /*`6m{pOwҦ}-GܮbVd=-Dw߁\<=G&"{Z ^_jT608;7~@(VSo\kE_A-mҴhgϡ?:/ 3gA>fOCMw A:yDz? 3,K?#"lIͦ*0iS!Lum|vz#ou?&nU&S(,1^tY apGɤR͏,:_;E/^! <5ѥ=i=y _ntO~;='bkek/(G>?FwE:^ۏo3? ~U3v᫉PX8!6&9pˣa#ʵmq|DEFfq.\ؕY e9LGbJbfiA i!Fv={Kb+J7;F$q4hkjj5v5V^ CakjrF-?x$ǍE/]^|~8.2dRCm  /(_7^z2lsy̩Tl/ZNxWHcΩ]ZE9>%KRku+N ߥtc \ n oTJ9t{`ɣs#D(\t{pU) & 0Z|LhQ58wM<ڜ0-yM13цX50yf׵GaYv̈́󄾋7ZzZ<HsS587ٺsI9ujLyaEG8aciw;Y1[+`65OR.g@%[7\ 0r&E"#m J~RR|CjUMhբ*<$TM'ȕF1špkBK.xړGF^G<2RI+ۺg?΁Fp}X23 kF&.@Y>lgN((bL~-= <1f?|r|sz9}Z<֛k*u8M D;'}XC@WݹHm+nl@'[, lpPҢ3f;6vfRjW >KqǣP\ׯ0OyX^K\CaeIymLO6mIU+ ַg%=ڥ]baiL\#&N9ݱX Zz] sjX:?K }+6aiʵxd=-0X\U}bt9z&f63ZI B<>?|B<1E&aJ$  Ĉ[ bU&wܠ~z*ڟOe^n B {?Jl~C#hM,|U:m|%w҅n,1MhA 7-d߄QT14 :{ѻrPZ=+G㏏_ 6a^zGZq!G)}o #d2zޘ9p" YJWH7}H['鍀I䏖+62sjl %IhYP2CsN.`о꣇U #`.P^[H΁u0_| XP4ṛCO좺t@"]Q.ˮкbU? |9@G)׼9Ĕ#>P޾겯Ԕ&ETw.3OaDP=SbX"hR1Q(px ~3&v+"&(6@א0H`l'ƞ;#H 1bNx 1ӈ )Os6:9 ccZ|,{{GǙ;fQWJKqt]\P"@J>S|??&~?OHB}s  .X`sYej xpx}6? wSܕi^51 0Y:N+r HPgA~\bԔ0(VIB qXR~DB(s s9$ 36ú~> _f?Bp),f,TՊR &uUCu]j)@]xC= YV^"zӄ\I \A] / PIZ W}KI}a3Bs31hz_i4UM'Wޠӽ$5¶-r5uw[_N/vs9hbv>L5mkL(P^6/NYPʙ~oSg¥,% y*w"fE'ҽlIJ/6ρ3_2_3ʯjsI(QޅnF9R`sy pjg@Si~>B?f'(ku6wZFQd3ˌr's__s]"c~.`Y\d碏e}^dE}"^f3(?A2/"2c~/.32cnF  !_z@ ~2gg7Ƞ??}}ʠP99c|3w Y@{ _g wAI]'Izʛ|픊8kgK " SV9,.O3kP! g  z-2r!{ˀ~_} kwm%R+ ]Q%=-{[I2}Wc|u(X2M*%!#(<8%Y}MNJ 4tk 7b[yDYAI{R}tEI>tqLwzP[ԙqޢD)Fy5C>RqFPg~Ug= :!fŬ^`l!x}k6OdB'pZc( fZ gx:NBhع+jz|fpOo4pGsn ߛw94l H$7_rQӊj~JR}'\!aڌb%e$&T_$`vXJ D`q9CTx|Femګ,91C=b;hǬ[ɖb(wp E#У /v̺˘V͛Yʌ*æȗᄽIگ!ā` }pTR Pcoy =u] -F$5Zr{I2hؐMK؊9N-#X N>@OgÙ#wHX&38W "-7.@c d߻E!N-x uY`(X5RǬȽGӟ}Q!je:YV/ipzx)/ " n+QjpLZDA 0- xƍQg;쬉פ`H$8Ï }CQ=;l܆,4]ݍ:S'/Հ`ۧ޲|c;Ԥ Id b2Oty'0OF<#FOb\װnnϘwM9?`&< Ä-YRŶ/G㿄$E0|K `?94Ǟ”(?W$N*1PΧg#}^X?(xma?W>de]:E)x܁AGRfMw8:Z5m$$&b3@ gYlVHR۝cNm& ”s]q5tϘJmgX|@ăx!$k0Wp\eC[gI2D~{F=&*P=Em- e'.r}7{ /}Io=G}k_VeńK!8F>HYUҎ_[@B&`ɕX)un'|oW|F,Kl`B`t0`*sˠvSC@_v܅eUhJm;:d2֭0kc'pg!MX|wVulם8G; ⁜0ћԜP1$(+nOvGD g>6'كl4h}, Xs#Q%` <{|!zQˤ`yM`ߟ2"L- Ԧ?3w)+],by٨3&g0lB eȱ(lyJ͜GċOgW<߶nZP/jdV(lٖ?] HױQ5¶`:#Vڕ*zYD1e~}=3Ӳg(q2,@PpPmk+Wei$ցi{$qsh݆G0ޏq7Pl@xSb G:q3r26MvQmS#ন+N]?41Ȟg|Nuu |ڕa=vU\:9yۙF ya1 g'{y{~kC'> :맱:Y}#s!?²Lj3mg^^kte(n aaXdS1#7@j0\|H d[\O^مt&3k/YH~>  r*r*]xWI"cXMx@t&W3.rWbMd?r^k/o ?Xir 6/:_yH%L=Sw QFk;O(QF2x68\S|=^`gd /=n%mӽj D>Vl:񲞽T7v r̳`bhPl-jez'14mEgl(3W'5X-lu o"f/F ۲M*i29Z{) qͭ֫"mxTɉY+z[;6Nw6̈́M /b;f1Բ`G?*