New PowerPoint Attacks Hit Old Flaw

By Matthew Hines  |  Posted 2009-09-01 Print this article Print

Researchers are tracking the emergence of a new set of malware attacks loaded into Microsoft PowerPoint documents that take aim at a long-patched vulnerability in the application.

Highlighting the success that many attackers still have in launching threats that prey on vulnerabilities that should have been fixed long ago, the new PowerPoint attacks seek to exploit the issue identified by Microsoft as MS06-028, first patched in June 2006.

Even those who remain unpatched could avoid the attack by avoiding unsolicited .PPT attachments, so clearly the threat is aimed at less savvy individuals, or those living in countries such as China where the popularity of pirated Microsoft software allows for old flaws to remain available targets.

Among the researchers logging new waves of the .PPT campaigns was Sophos, which said it has seen a sharp increase in the attacks over the last several business days.

For those who should be patched, the usability of the attacks shows how even a recent spate of .PPT-related zero day threats sometimes fails to motivate people to ensure their computers are completely up to date, experts with the company noted in a blog post.

Other than that, the only hint to people that they've become infected may be that they would notice a "brief flicker" on their screen before seeing a first slide appear the next time that they use the program.

The attacks drops a Trojan, identified by the researchers as Troj/Protux-Gen, onto affected machines. The screen flicker is triggered by the involved shellcode, which also downloads and runs another executable, Troj/ReopnPPT-A, that shuts down any open PowerPoint processes, removes the shellcode from the malicious .PPT and re-opens PowerPoint with the newly disinfected presentation, Sophos reported.

No matter how responsive vendors become with their patching activities, it seems that attackers are still going to have success using old tactics and vulnerabilities to carry out their campaigns.

Looks like it's time to go back to school folks.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel