Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Confirms PowerPoint Zero-Day Attack



 By: Ryan Naraine
2006-07-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A previously unknown software flaw in the widely used Microsoft Office presentation program is being used in targeted attacks traced to China.

First Word, then Excel, now PowerPoint.

For the third time in two months, a zero-day vulnerability in a widely used Microsoft Office software application is being used in targeted hacker attacks.

The latest attack exploits a previously undocumented flaw in Microsoft PowerPoint, the ubiquitous presentation program used by millions of users around the world.

Resource Library:

The attack comes just days after Microsofts July Patch Tuesday and closely mirrors the situation in June when a zero-day Excel attack was discovered 24 hours after Patch Day.

Virus hunters at Symantec linked the zero-day attack to a Trojan horse program called Trojan.PPDropper.B that arrives via e-mail from a Gmail address.

The subject line of the mail and the .ppt file-name are in Chinese characters, suggesting that the attacks are emanating from—and attacking targets—in the Far East.

If the PowerPoint attachment is opened, the Trojan drops and executes a variant of Backdoor.Bifrose.E, a keystroke logger that is used to steal sensitive information and send it back to a remote server controlled by malicious hackers.

The Trojan also injects a malicious routine into the EXPLORER.EXE process that overwrites the malicious PowerPoint file with a new clean copy of the document.

Anti-virus researchers believe this tactic is used to wipe traces of the computer breach.

A Microsoft spokesman described the attack as "extremely limited."

"In order for this attack to be carried out, a user must first open a malicious PowerPoint document that is sent as an e-mail attachment, posted to a Web site or otherwise provided to them by an attacker.

"On more recent versions of PowerPoint, opening the PowerPoint document out of e-mail will prompt the user to be careful about opening the attachment," the spokesman said in a statement sent to eWEEK.

The company is expected to issue a prepatch security advisory with guidance and workarounds to help customers block potential attacks.

According to Symantecs advisory, the PowerPoint flaw affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Microsoft Confirms PowerPoint Zero-Day Attack
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v8sjS#[rZ]ΜG"!eT韸/O7NnZhK']D ~vv$IMsל۔N]sSã7w$wv~]2I-*_rdz&j9%G jL7R}f]S ׫LNშ :#:UG.Pk< jZ53j5ԗoˏne0.ZIQ6*֠Oմn۴$1q@ݡh] YQږyH6GHaT`7sIzV@h ɠæ&q!꟔Cp`iFSK׌<{mH C[w5-%ZAۇ8o_vz>|j+r m N7߉QT"*rp8MI 1q${@BsoVS+~ASC T$0yY>E4b‰EU}$vߔL-~{Hu|ztn |')ĠV*PFbЊ%+gxc_-:NWOWfGN:>n>s鐚&tXAZ|[kU[nG!njdPp9Lwj/H ?5;VY$Y*r$8ퟟCJ ݖEL_ȻX_wKŗG)H73ǚ-=0ɔcPu t:9Csڊf}t-Mn "dLi&έZp-Alo K(H)5?&yϚb.L2o<|)=m̗U/d`(AK/g 5t*軤(If0A0<^f/_\RG 1 p1S{".Ӱuarv}ZnV͉*YXYujZlY?iQwθ~j?^\:5>@*NR}:;SjZim;Ni|Q}ѦޢR?ݘXiI'0i +GݺzN߳=Uԇ5D%h-DCwM0Ie!S@uCLέ]2C?FlEP>X^0G`^@8ppyY?90>o ߝ5#z[-[Z6x G͹A QN\Q@M2(%E2{4.'P(AH 9 \99|?#!bTLZ(6ݞH:s@-JEscMX*QY,p[/ Pf%)5{~6 cbB|#'"Xr`Y \h+|h)lb V.hiȨPs0=cWV+%EU} H&tTܷP9<:79HQob##YHLq;2@&{l6g{A3uNP"'Կ ;7u9\϶T=\҇9 UQR }+rfMAR?Ty  Bdj/h~W.Y 3EXVHdF!zC{ޡ[Y3T)w^IY䞅T_9YX XM`v7 ,Rd0q6NI SXh8E/C4꾶'ei[%ͺE[9(ĿKӺJj'-H#oh koռE_xue8Hi K-CrB`}.E6Gh?40Ov=p=F5}n& VoU wß@X[)ZPbY;L`beQӿR&a+\ڨ·'Χޱ;i6E7[{\MW@~uf:s?RlC4HhR+}neQUU[*X[ 3D2.P\+Cҵ3KwEe蘆H &}Fl4\Z#V!0\ |D30`,e߯COM:b^-!=ZSYɰ\R >16D ȸau-`byfc]Wѹq}O8l1D-g@?aRo5>  T#!EX+LTBYah[s6/z}xN`+\rW["LJ}=Nݡe5m*IH aۻ(Qܦ&;alâ˘c_- #>(cpHl`_<Ӈ> B LRE\ ~1~1UŠP=) ]`uX]/XL+*)Gpϟ  sWyGY?Oy^Hk )2)<:narUTՑn OGA.C{MtAjZ,@ ܠYaiO}Z,Y~B)' _k1&D@v.eۏU)&Uj l|`Z܎:{>-֌H+ c4}52*jAe߻ݬ`,m[D zDÈ i[qņZ ZYMf~ r?pߎXAmš9k+sD ü |30Jјl7hwMШ6> YLZ<*ɽoᘻ,OPýo~QB<Z\#h 'z+Gjz %8r zĀİh{~UM+%u2YhSIlؤC}gun22˓O~uTSc'oa#?ҍLnUc;2~ z:i0-a`O- v uhՂ|ͧ jw\0Z|_/giGu"M."08zGdDRz+~|/I6A'|[JI) `uVEZ)~)HǞ1}]ܙe>t1Վ8*z)O#ʜE/S Ymq'&.Ҁ^\T3 f;6}b;/ci)TEXqkX C=O f+(U|hy5"QrIuY l&ŏhȇUrVՏC~#=֢,ADUPU(V $ zVp8,h2Y+#t0/7" ޜblk ezפ_ՕIOe3q18@X=y}d6 5C1t53qqfS}qmYVC6fIJ}A1Tl\˪+> tVB 'I#cF􀮢e4qyh7(jMY@h# ;wk~ʁnUR#|(VVJrȹe0F\0R,W1<ʢ'rUN6._-Java *s>P|o -"ԄֿwLaV*7xo~.RHC$ |J Dp-6z_5ނ4 `i8~{HCo>rfWOnl_|.;lᳳI?`yAr+G~s.7.?/ėt;gK~J/ZR1~+z2W#&8k8`O*aո ?>n6<԰6MFkd34 H[3 BX:%'^t%V}Xhr!q6(a4&lC/a֭ Bb/3BdORC (ʡ=`=`VɈf=k|NkeسN/ m D78S*PW"REH%IAϚe_f}3bt4zQt"_Za(Kᷘo9?ů1KwxAh[(ktNz4 \1[INj?!g4|yQ$M "a]Zqnu zu@&iR'DZ3pq*d hw H-Ѝ>5?y{ho&o=)sdzI'伅)ћ^^S{20}_?I+I㆟isP]!XvdLc!I ɫ:w7}ʜ9%'+Tx|1(o9P2tI JGs`ȞxqM7bRc8wB?}|] {~ ]ݣPIݣ7뻻~=Ғ(r]ZD ܎qw5Q{qI9.xy?,r`\TzH^8؈ڽ] uU6m>-3hL Z6;xt6tY AAXy !h79g#91<#P`G ܍1J 3"q#ĠHXrMs _563Z7:ar*|"Zy䘖a %8\}1߈:6"Y1!QfM!XP|;ߌ93{C8l R*2Kp1)%ŷ`PBHpN̼V&Q~2*kwCOƥE/.qĨ`bowx7Ɩ{X#h<:KBg5X(a.Z_8ٿz9+ֻm 4ȉMU@Ln}"b4l3e>%`n3 HKFڅ)^jϾջ|t19ϝvOpLÝ, -L숉kk]Ý0s no \W&rvc"O7<=zg[QF$L?Z'IElT ]_p#@= 5W}ϻ?,Ilvĝ= .87 6MR.J(qVH/Piڔe ]OLE'ܘNcϒǨ;7,21L̨ښ`2?R0Rl x*JUUBȏ\[`f;ID `/$D>|@)ҔLzu h-B|wop\RJV}<ΖAsiHq|{փtbT bWt JW_}m1pPH,)I+nJǓ^X0~pk֘:pqvdyS_b& Y~/5Y #c+~X$$A)La/E4όeRdoOdjaS"+>I  :׻(<+ pHRGB@C"1$W&BDG[ ʦTz.ZY@TUtKjSLB#mKV(6RcApOBpD{4D,˦M]ߪ6J6PeGgdmOkTxI AGMw17ٗN䮍' 8BTRJ {7 *qk5 sYtU ~UR֚.kܔEE)N2VWtoe,iOղ=٥K.! ^YV@IґrdK0=TmZ-u %&9pD% (J c,DcT^o̶ _Ƶtz3W*]m?| Aa$ a2%ؗH7k{P.6$wH ̞m4/ĕJTnf&G6FxcD4ƈh,%_#ڟJ@=jXoOf!nHk=]/kMܑGx3/u'Ro> `;dҬ^Cd9"@ \B^ }>ZoΆSyTdE&zeUqcX4GJDyL0LjP/,\C\KlQQ6JD)}M^}inz* qgk~----bE ۷/=Τn),.-<^P=%EC @B F!:} {ӱ7\e/XޗO*9z 5O5;e@I~)^ `H)ṐoηF72صm}(2rwΣŕxE&d J1gzp«/1nIy59QbeKTԷ=xOsP aGZԝ۾ki Kheppe^!{}7^o^ZJjŠ덥"]ud=0@ B^!B0^ <qco^]k2F-An؀>Z5"7~>1=x}6ɖ(XY?uwq_Sݟ?4O c 3#Ur q%F_x"y Jykk/̅:4Wba$}*e?v#t) ģ{68sRJf@a7*+lxW֋_uXhM3ݶ^PjrRep8\Ν[TzmM QTkv mXoM֌fFRso Z!ߤLm_mT(JV_ &Uֿe#{tХ4moJY2VC|_~_<,Mgj{c~2oO@85kQ/ND(&wU 8e[Y@7džd , &惃%gpM@{IlJMq-Eu~槯^,6GW-N/*`6l{;pOԦ}-G\bd= D?\<9C"F6]ޓ`ZP1⍦~Ceٿeg!i=2݀7m*k+HM9T\g %f,DiH!:[dF+iFǒOW1ha8L)DU<11t#P̲jNT]֏pY=XCE3 CL w?VH|Uݷh}exxJ"rK:-%fi~#:&0* >&wA>po<|SPʕ=U+%=hp ̋XL t4*$:m=~}}LROw?\N CRY `Oi$~b C"vFf.BT0 m8!$  JzhEw[= d 9k `m:Ca=T*0 0 OF= !'@vQ]Q L] Cw0O]e7uauh c>r*ᜭ#+^bʑ`ڨ~)J"'0ឩV1,G4)kM(qi+8;bȱkfHw>>r:vLzWU8jz67a\nq4ħYO:\=4[EYFPkF(Q~ ˏ@w2ʑ˛f+ʏח~N2!>B\͌r_;i_dC( ח s?9?ς=9<?=}-<>ρ>3y"cSF)f Q~0{s?0ׁw2ɐ?/ fGf sA?=/c=/c}~X_c}}OY0O+(*ʠ+h*+ K:ICPFNOoT8G\(^JeYWa uqQ@yJɠ2,cx.rg e{9;[?_N3^a芪g-5nk ǸJu1 4xW /ByeoR)IAQfa. 3l?V\[[,Oнۺ{ Jݓs+z`~J\]d}+|UnE+tVOq&R<#s"qDZJ5faOd_-RqFPc^e= !ˋ٠bV`l>h|k:KdB'pZ`(fZ gx:NBhعKjz|jpO4psn ~w90l Hj$7rQӊj~JR#\"aڌ`=b%e$&T_$`vX엊r(RB4|OӴW)Y7tSsc<{+4аY-P=^?FG^5_ŗ1 {7/TMu// {_A1Cf@2b'`{ڝYI4[kܹ?|Nz6.eа!,%sv[F0 c|n35<>8Ï }CQ=;t܆,0]ݎ:S'Հ`m޴|c;ԤsId b2Oty'0OF<#Fb\WvNOwM9`&< Ä,IRŶ/G?$lIk0| ^c?94Ô(?W V_dvO~-B+O 8H2Gd!᳤c"5("vy9= |ɳd/+2b%#i*iŗf:ХդO,9"Ź oPmBOwM{ ,AP6v>Lcc? `vwb9c˖;) Mm+#8C>ԸmQ޺%pm.;+CO1֪TgU|yx9A1^WQ$ L{yݟ >@/7Ak~ E Oɺ<l4@FWD0;"6im.#sE%X,8/# kuf_-r Φ(@PPOWtm:y@t zm놮E{Ofuݎfmt{]Kl C>`mR>EK ]'[٧3й?-{/e[ &,{ QFbFK;ǩk[Vmx: }u+y!.1: ˟]zTqٶ7(G,cݴsQa[:6n ۲uy˷DL\7難-my#Qť9m@>{zw!G[0tczWY=R6Ȥ{ ePCik5ZK 0Dq] XâȖWqTR:!; /D?8- ci, ;fcXJ YF!Ƨ7'TS*4.>ύnw]29LgѼ{gbCu,aZ!%ӫrulC"|fn@XjPoe1afrYW`2-Z.<'̳(`,Lv"VKJMΡmlQ2aڇl*~H&7l{k+ЭDnxFs-^P?Q> χ"@LNENE<<*IDy)V@ȟ83}E.ttgLt )2)v}ml-c6C-;X5+