The Microsoft Security Response Center has released Advisory 969136 today about a vulnerability in Microsoft Office PowerPoint which is being exploited in the wild. Office 2000, Office XP, Office 2003 and Mac Office are vulnerable however the latest version, Office 2007, is not. The Microsoft SRD blog provides more details about the how to protect your environment from the vulnerability.
So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in targeted attacks and therefore the number of affected customers is very low. Here’s a diagram that demonstrates how such an attack happens:
Usually, these files look legit when opened so it is quite easy to fall prey and not even notice that something malicious ran in the background. Here are two examples for the first slide in such slideshows:
We are also releasing today a generic signature to protect our customers against these exploits. Its name is Exploit:Win32/Apptom.gen. Basically, access to such exploit files is blocked if a Windows Live OneCare user or a Forefront Client Security user tries to open them. This new signature is included in definition update version 1.55.975.0 or higher.
The malicious PPT files try to drop malware once opened. Here is a screenshot with the process activity after a malicious document has been executed:
We’ve added detection to these binaries as:
The exploit files have been recently submitted to the popular VirusTotal scan site. Either the miscreants who created these exploits were looking to see how antivirus products detect their new files, or the victims were looking to get some information about their maliciousness. For our fellow researchers in other security companies, here are several SHA1 hashes of these exploits:
|MD5 Hash||SHA1 Hash|
As usual, be cautious when you open attachments from untrusted sources and make sure your antivirus software is up to date. Microsoft will release a security update for this issue and once that happens, get it quickly installed.
We’d like to thank Patrick Nolan for his help with creating this blog post.
--Cristian Craioveanu & Ziv Mador