Unpatched PowerPoint Flaw Under Attack

Microsoft is investigating reports of a new PowerPoint zero-day exploit hitting select business targets.

Microsofts summer-long struggle to lock down gaping holes in its Office software suite has once again escalated with the discovery of a new zero-day attack targeting PowerPoint users.

The Redmond, Wash., software maker confirmed reports from anti-virus vendors that another round of "extremely limited attacks" is exploiting a previously unknown PowerPoint vulnerability.

The e-mail-borne attack, which uses rigged .ppt attachments, is being used to plant a Trojan dropper on infected Windows machines.

According to an advisory from Symantec, the malicious file injects itself into several computer processes and uses rootkit techniques to hide its files and process.

It opens a back door and connects to Web sites hosted at the 6600.org and 9966.org domains, allowing a malicious hacker full control of the target machine.

The file names of the rigged PowerPoint files are "FinalPresentationF05.ppt," and "2006-Jane.ppt," according to Symantecs alert.

The tactics appear identical to a recent wave of zero-day PowerPoint exploits that experts believe are linked to corporate espionage in the Far East.

Symantec said the targeted attack could be used to perform network reconnaissance, search for files, download and upload files, create and remove folders, execute commands or update registry entries.

McAfee, an anti-virus software vendor in Santa Clara, Calif., said the exploit was aimed at "a single target," further confirming that the recent exploits against Microsoft Office users are part of well-targeted attacks.

A spokesperson for Microsoft said the companys investigation has concluded that the vulnerability affects users of Microsoft Office 2000, Microsoft Office 2003 and Microsoft Office XP.

"In order for this attack to be carried out, a user must first open a malicious Microsoft PowerPoint document that is sent as an e-mail attachment or otherwise provided to them by an attacker," the spokesperson said.

He said Microsoft is aware of an attack scenario that involves malware known as "Win32/Controlppt.W" and "Win32/Controlppt.X," and has added detection and removal signatures to its free Windows Live OneCare safety scanner.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.