Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Confirms PowerPoint Zero-Day Attack



 By: Ryan Naraine
2006-07-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A previously unknown software flaw in the widely used Microsoft Office presentation program is being used in targeted attacks traced to China.

First Word, then Excel, now PowerPoint.

For the third time in two months, a zero-day vulnerability in a widely used Microsoft Office software application is being used in targeted hacker attacks.

The latest attack exploits a previously undocumented flaw in Microsoft PowerPoint, the ubiquitous presentation program used by millions of users around the world.

Resource Library:

The attack comes just days after Microsofts July Patch Tuesday and closely mirrors the situation in June when a zero-day Excel attack was discovered 24 hours after Patch Day.

Virus hunters at Symantec linked the zero-day attack to a Trojan horse program called Trojan.PPDropper.B that arrives via e-mail from a Gmail address.

The subject line of the mail and the .ppt file-name are in Chinese characters, suggesting that the attacks are emanating from—and attacking targets—in the Far East.

If the PowerPoint attachment is opened, the Trojan drops and executes a variant of Backdoor.Bifrose.E, a keystroke logger that is used to steal sensitive information and send it back to a remote server controlled by malicious hackers.

The Trojan also injects a malicious routine into the EXPLORER.EXE process that overwrites the malicious PowerPoint file with a new clean copy of the document.

Anti-virus researchers believe this tactic is used to wipe traces of the computer breach.

A Microsoft spokesman described the attack as "extremely limited."

"In order for this attack to be carried out, a user must first open a malicious PowerPoint document that is sent as an e-mail attachment, posted to a Web site or otherwise provided to them by an attacker.

"On more recent versions of PowerPoint, opening the PowerPoint document out of e-mail will prompt the user to be careful about opening the attachment," the spokesman said in a statement sent to eWEEK.

The company is expected to issue a prepatch security advisory with guidance and workarounds to help customers block potential attacks.

According to Symantecs advisory, the PowerPoint flaw affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Confirms PowerPoint Zero-Day Attack
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v8sjS#[rZ]ΜG"!eT韸/O7NnZhK']D ~vv$IMsל۔N]sSã7w$wv~]2I-*_rdz&j9%G jL7R}f]S ׫LNშ :#:UG.Pk< jZ53j5ԗoˏne0.ZIQ6*֠Oմn۴$1q@ݡh] YQږyH6GHaT`7sIzV@h ɠæ&q!꟔Cp`iFSK׌<{mH C[w5-%ZAۇ8o_vz>|j+r m N7߉QT"*rp8MI 1q${@BsoVS+~ASC T$0yY>E4b‰EU}$vߔL-~{Hu|ztn |')ĠV*PFbЊ%+gxc_-:NWOWfGN:>n>s鐚&tXAZ|[kU[nG!njdPp9Lwj/H ?5;VY$Y*r$8ퟟCJ ݖEL_ȻX_wKŗG)H73ǚ-=0ɔcPu t:9Csڊf}t-Mn "dLi&έZp-Alo K(H)5?&yϚb.L2o<|)=m̗U/d`(AK/g 5t*軤(If0A0<^f/_\RG 1 p1S{".Ӱuarv}ZnV͉*YXYujZlY?iQwθ~j?^\:5>@*NR}:;SjZim;Ni|Q}ѦޢR?ݘXiI'0i +GݺzN߳=Uԇ5D%h-DCwM0Ie!S@uCLέ]2C?FlEP>X^0G`^@8ppyY?90>o ߝ5#z[-[Z6x G͹A QN\Q@M2(%E2{4.'P(AH 9 \99|?#!bTLZ(6ݞH:s@-JEscMX*QY,p[/ Pf%)5{~6 cbB|#'"Xr`Y \h+|h)lb V.hiȨPs0=cWV+%EU} H&tTܷP9<:79HQob##YHLq;2@&{l6g{A3uNP"'Կ ;7u9\϶T=\҇9 UQR }+rfMAR?Ty  Bdj/h~W.Y 3EXVHdF!zC{ޡ[Y3T)w^IY䞅T_9YX XM`v7 ,Rd0q6NI SXh8E/C4꾶'ei[%ͺE[9(ĿKӺJj'-H#oh koռE_xue8Hi K-CrB`}.E6Gh?40Ov=p=F5}n& VoU wß@X[)ZPbY;L`beQӿR&a+\ڨ·'Χޱ;i6E7[{\MW@~uf:s?RlC4HhR+}neQUU[*X[ 3D2.P\+Cҵ3KwEe蘆H &}Fl4\Z#V!0\ |D30`,e߯COM:b^-!=ZSYɰ\R >16D ȸau-`byfc]Wѹq}O8l1D-g@?aRo5>  T#!EX+LTBYah[s6/z}xN`+\rW["LJ}=Nݡe5m*IH aۻ(Qܦ&;alâ˘c_- #>(cpHl`_<Ӈ> B LRE\ ~1~1UŠP=) ]`uX]/XL+*)Gpϟ  sWyGY?Oy^Hk )2)<:narUTՑn OGA.C{MtAjZ,@ ܠYaiO}Z,Y~B)' _k1&D@v.eۏU)&Uj l|`Z܎:{>-֌H+ c4}52*jAe߻ݬ`,m[D zDÈ i[qņZ ZYMf~ r?pߎXAmš9k+sD ü |30Jјl7hwMШ6> YLZ<*ɽoᘻ,OPýo~QB<Z\#h 'z+Gjz %8r zĀİh{~UM+%u2YhSIlؤC}gun22˓O~uTSc'oa#?ҍLnUc;2~ z:i0-a`O- v uhՂ|ͧ jw\0Z|_/giGu"M."08zGdDRz+~|/I6A'|[JI) `uVEZ)~)HǞ1}]ܙe>t1Վ8*z)O#ʜE/S Ymq'&.Ҁ^\T3 f;6}b;/ci)TEXqkX C=O f+(U|hy5"QrIuY l&ŏhȇUrVՏC~#=֢,ADUPU(V $ zVp8,h2Y+#t0/7" ޜblk ezפ_ՕIOe3q18@X=y}d6 5C1t53qqfS}qmYVC6fIJ}A1Tl\˪+> tVB 'I#cF􀮢e4qyh7(jMY@h# ;wk~ʁnUR#|(VVJrȹe0F\0R,W1<ʢ'rUN6._-Java *s>P|o -"ԄֿwLaV*7xo~.RHC$ |J DA&=~?|?HM}Y^ٷ9P K1RCbw}\ɾ3zZvfta Na啀 _9sq}!}9\C|}ђ;]֓! YKBV=gex6q)qm2XG42u\8$Ø=^p@ښҹl.9`B5c-I'" E0q0aUxy~ïUk~ ~$Ã*XAQ5@+JF4۽Yst;-38Ǟu}h!腘:Ua2"(BR.IHO5xlw.(6;Fыٿ #^ 4~ y,~y<~_dxD %GBY{pңXTJ긵vRt0?x>k z?$iZg Í7"tSOKԫ2L:&r֚SD[@ {BAJ;DHA2Sq?Ic6vYԺ[&L#pAS2%ə(D=)!*ښI$"8J542 eI? Md4㓘PV HɂjӚmf .iغm|d<ဏQJh 鳁VKu^c`|xR̅2Yi^;Uv;S=v<9w\3r$6l\N*tb9,_k==˲yӅce'9v$st7=&Ս A0nskt;GR r0&x&4lyWy# x~4qj\Y93 Zt gcBxa1~hSrp쐋N4KҸ?1LZ_ |1$?[0#|&j~>xFMz@uS棏g 95'Ny V:7vkm,da3f/ݷ~vcW}; ?-l-8t砖CTϏ$ɘNBAWU-u*lko(rY9sJEOVr;ѡhd,#Qd1ӗs0dƛaK=#tzooo=ȥ֛ݥq=*~OOv7]f+wuB%u-JKz9nwhp;D%YȁqQ#y6K`#jv.b_;+&bi4W;Tf{ts̷kD>dO1\j}|yg,d9a}4ؖrnbLd<J;mmoݍn T Of!!%FJ--cm !ဟк õcV#Ǵ _/qFԱQo*4oNƂ1f̙ʈ1gcRΟ_R;Mo,)?Bsдg=.0Sa_˽z2.mE.zQv%Fm7^˗,t8qx|[_|cd E7%oaG̓][+@2$,j[p{c2㱥b7)&# w2g@O)\)r0, 6'S$t&>?̦i,:,ɰISV-8 &1A-3Upe~by !E0?;ۊ.-h:N*bۮb [Z;mb%+xZDzdId+6$e%!p-ı ̟ir7Dy5'B|Y}J+'f4cHzgŸ-BTtW8~mԎieQy5>D Ϭ;j3KwU@=ݩkZHsf~iz(`@q&'C*Y?K;f!r+"Ye{GKuzuB[S@G &Tꁭ uoRPJȖb zL"lg1 aLG(SS[!c\`wUn nKJIҪo2T{." 1tzN,J]Xd]*^WIꫠ-q %"iMIx 0#}mS.1@ю,oK]L4uA3K_`F@; q$`s}D$1H %I8vQLJUL-lJd3=aAze>:xN)SHpH$ʄЖXhA׷|TٔJEK"IC;9J*@ھtIm9j$=c\ Fj# 8Ipeٴɸ[URUI*=:d&g{lMKrMwj90RQUu" >[fe 'Y+[!a+%| e{մMɷ3ґrdK0T[ZV JLr&%(@JPƕ +!X"7$s+ߘm+|ұ\qWtA!R*|Q0H0^rKpWpKVDPst]c/fwJUT*V73Jx# #1"YcD4ނlO% kc7gsY.CroH]{ #y—:7Kf_2iP/!GD \.Z!> -тy{LԷgCꩼU*\"v=281x#%U &&52!%6(FI( %є>fBL4N=熸γCҵ̃xrT/nrk\;ڂHkTxAl =@ !N2JX?7\7{4MZߴ˻rEN&Xs s`{_>nt䀢[`T<l~$ f]{x)a1  %<2B<AI1ou\“YG;_>Og}.x4`gTJwZ) (ş {+㒰)63wr5kB*^UuBj/ǃ˹` ỲP!jNk19Z[}ʚLHj~6}A˽=V4yN mX[`cX]EYj˷>*qdyNgmV)Kjhk+1}HiL}^M`zlï^Bif-e։5iV(3Ta5s+x (f0!N7z=!R|pL`Iv|wouv1 W 87eQ|Ҟ_FBȣře^Æm/'IO eXL,3'g(Idn+{SL+71Cոol`vtq"o,R=X&Qq})IӢ=,#όQx@nCnŽ[Ik ̰6$o,SPcG4SST4k ?D~LuM|i{#o?'.&u,,Ntɚbp?W䤟R-:_;E/! <5*Յ=+w=y _ZnOn~;'bˊvמS|l:*ju<6f1$/`qI YW HqCvN rGÂ-ʫG30kq'ϊ.#j\DkjsܕĤAI҂B4ʭwĨW܁n"ﹷHhHUWkw+#,(K"Z"'"KIH^X0BpD]dbɤ:^P4o&A40fS,^FJ11ǜSe\(.HQ,:-~e=_@F+3}&5&LI9RE(*Io$ΨPpэdUP*$4h1%-F55R`sܴܧ5̈bvӚ \lzZC춴J[7^6.W@O[jkwhDP"ͪNDv`h*'} 1yGHt^vUg#G2Gn-)RjXxZ>ITnp=jh0'ӛ`6 **e9 JI->sW5UpP7 #9@sk Փ>-,Qku$ζy1K%XS#o}O;T`v)Os~-?(BAdӓ_Scø@G0cˡǪchF]襃ҵτ8M D> ^Rc$W c,Y}:;(iҩH Wkm2R)598fCyFscyGX\sjO\CaeIyeLO66mIU+ 7g%=څ]`aiL\!&'=9ݱ=X z3jX:?K k`\adxd㍨=-0X\U%}bt9j*f&3ZI5B<>?|B<1EaJ$ Ĉ bU&wܠ~z*ڟOe^fB ;=Ll~GhM,;|U:m|%w[ҹn,iMh\17߄QT14 :{ᛂWZ-2G_ 6f^ZgZQ!G)f}oM-ӴiLROW\N CRY `Oi$~b C"vFf.BT0 u>!$  JzhEw[= d 9k `u@C˜a=T*0 D'#{x (]A.;BxWt'ly.cⲫư:?raqn?EpБ`A1HST~mZW^^}^ cpTprD#d5B&t87>|ߟ/{=j&[pOrsIA!5Q"`"1a9=g1;VRɫ1{SelUo%P`qT|8snjH5m+L(P\4[NSʩ~gSg̥,% Y*w"<\rФo%ug@gB_KF%_/?n62;P(GJ/oc(?^_~9חsv3Wo73ʡ}Qog^k/3^_~2g9<瀟 r <<ϠOы_|OP~Q7([F9g^dE\]d_O'Ct@t2K裛A]x%e``c}G ?e>eS**~2/$)CAy#]\8=Rer z)A^d_~*%IF>gȳ+z'^˰f\12ௗednld~iw;BX\jzr+g^e5v+iAư[/6^a/  ^敽I$= xEW4<< X1rnmŚ/JYy8* t!=}}(s#h03.Ñp_=R\zI[F$Q N؃8{n7}zNn_qL: ~iMnڧn\v<2kݫ+++p'k͠?~%kS$L^d6yx߅ ߊD,| e%HI0σh7J nAmz㏗g4j`./gnC=tZ}iP,US !PiWEjn2h s8a.-gjEM++J9wWrHi3=""CQ*R%}e`_*V&K=3 .=M^d fM-ϡ'!pB>fJC DK(x[xcD^_ƴmBfP6սD<'u~m

d%Q< oq9m|LڸAÆo^Ėٵv"n<4wz:e@4ǭaƹr0o@8[h xqJ)gL!l1AЩ>7rϒ1 hJ/.ӡxKQ,Vk2 5t0=_2u–'*F;BN`-yC`b)WOCM^D`yCOfY᥼x6,0G1i!n|p7707F=uof\ ".𰙄i uH=`GfAL qr|1h_u$bV$G1x_05:%xlӍ 1L=-ioB+_!c۝,<<T#0?f FӕsXKVvu;L_K'/Zpx fL~PΩ'KGJLƎ$z &:/{{ SN\}T.q 5" "HH "s{D|%7Ю9S%n Ee v"ё{wFsg|霰)#,|HTPe$ӧ6M\-OnKz=>~Pʂ)mø|˺tR(K)%̚o4ptѷkd9HR=I*4UMf΢ِ-ҿ&;Üz LJ @Bo)%:k[1ZOe[BI<ŷ`-<>,"7ϒe֔zLT zZ v,0%^z'ϒޒ{ƾ( ;C? T@|5 %\6LDR}B0~Nmv09DEPމ!/[v2 S*4%SPxSEz? MPt>[:SAWlx@ooMqomj_U`7'#~"VœA6np8@!(_Eْ+0u6(NAERb0H<&TO]&\fTj_ѮBTvlPP`ՙi);>BAr$#v/-GJ^Q.u 7tleb @J m73Tt %` GYU`.f\n)ZF$c5ԭ䅸<P0_~C.vQeNܔuFEmhT_ !*lˢM )/߶3qݼ¶,yX\FNv$ѿfpalX  ^|޹+o=Љe6;3G_]g4v'8K cd.XI@ qk.-wvua4,Lb9"[^QI(`жX3|,@a)5gn~ӧ4pRaL (b[и<7qum˸0#ŸErY)iV~LʩkcPֽk xٚջU$bCIAC9Xqk @<ל r;qmr?09&rX)>6snȭgz^ɴ|j}XXC *3f"k-],sїN<|;Xix0~ .3JbQ'.j?Vw:1XںqKǿ~|hJaEy鞢%!t.4!6ŇdEg_0m\}!l6;n_ﭙeTUA$7yM1ec*d_)V ]jqۙ QB6lS2u̹D/4^JB\qrHէr0>d֌VMӝo3a-dcˤ_ ?I+