Attackers exploit critical PowerPoint vulnerability

'We missed this bug,' Microsoft admits, but doesn't commit to a patch

For the second time in five weeks, Microsoft Corp. warned that hackers were exploiting a critical unpatched bug in its popular Office application suite.

In a pre-patch security advisory issued late yesterday, Microsoft confirmed that attackers were using rigged PowerPoint files to trigger the vulnerability in older editions of the presentation maker. In fact, several different exploits are on the prowl, said company researchers Cristian Craioveanu and Ziv Mador in a posting to the Microsoft Malware Protection Center's blog.

Microsoft spokesman Bill Sisk downplayed the threat. "At this time, Microsoft is only aware of limited and targeted attacks that attempt to use this vulnerability," he said in an e-mail.

Unlike five weeks ago, when Sisk said the same thing about a "zero-day" flaw in Excel, Microsoft's spreadsheet software, he didn't explicitly promise that the company would patch the problem.

"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," he said Thursday. The Excel vulnerability has not yet been patched.

Yesterday's bug affects PowerPoint 2000, PowerPoint 2002 and PowerPoint 2003 on Windows, and the edition included with Office 2004 for Mac. According to Microsoft, the vulnerability is in the way that PowerPoint parses the older file format used by those versions, and can be used by attackers to run additional malware and hijack the PC.

See How to Deliver a Better PowerPoint Presentation

"The question is, when will it end?" said Andrew Storms, director of security operations at nCircle Network Security Inc., referring to the regular disclosure of vulnerabilities in Office applications' file formats. "They'll probably never find all of the vulnerabilities in the file formats," he continued, "because they may not be going back into these older products to [test] them with newer fuzzers."

"Fuzzer" is the term for security development software that hammers on application inputs in an attempt to find weak spots.

"It's more likely that they're fuzzing the newer products," Storms added. "So we don't know if it's something they missed or just something they hadn't been able to find with newer fuzzers."

Other Microsoft researchers acknowledged that they had overlooked the PowerPoint vulnerability.

"The malware samples ... exploiting this vulnerability are the first reliable exploits we have seen in the wild that infect Office 2003 SP3 with the latest security updates," said Bruce Dang and Jonathan Ness, two engineers at the Microsoft Security Response Center. "Office 2003 SP3 had a good run being safe from the bad guys, but we missed this bug while back-porting fixes found in the Office [2007] fuzzing effort to Office 2003 SP3," they said in another blog posting Thursday afternoon.

Microsoft made much of Office 2003 SP3's security enhancements when it released the service pack in September 2007, claiming at the time that it would better protect users, in part because it integrated security features it had built into Office 2007.

Office 2003 SP3, however, was also blasted by users for automatically blocking many aged file formats, including some still in use, forcing Microsoft to publicly apologize in January 2008.

Until a PowerPoint patch is produced, Microsoft said users could protect themselves by blocking PowerPoint files from opening, a process that requires editing the Windows registry, normally a chore beyond the ability of most users. Alternately, users can run PowerPoint 2003 documents through the Microsoft Office Isolated Conversion Environment (MOICE), a tool released in 2007 that converts those files into the more secure Office 2007 formats to strip out possible exploit code.

Hackers are using the bug to deliver one of several Trojan horses to targeted machines, Microsoft said. The Trojan, classified as a downloader, is capable of installing additional malware on the compromised computer.

Newer versions of the presentation maker, including PowerPoint 2007 on Windows and PowerPoint 2008 on the Mac, are not vulnerable to the exploits.

The next regularly scheduled Microsoft patch day is April 14.

Join the PC World newsletter!

Error: Please check your email address.

Tags ncirclemicrosoft patchespowerpoint

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?