A few months ago it was Microsoft Word. Last month it was Excel. Now PowerPoint is under attack through a critical hole. Why so many Office flaws so quickly?
Part of the reason is that "black hat" hackers now have cracking tools called "fuzzers" that can automatically run through thousands of combinations of programming calls to find the one (or the dozens) that will crash a program. Such holes fetch good money from valid security firms that pay bounties, as well as from the Internet black market.
In addition, new vulnerabilities are cropping up at a faster rate in popular applications, such as Web browsers and media players, than in Windows, a fact not lost on crackers. When they find a new hole in Office, for example, they can mix-and-match an exploit that hits it with existing viruses and other malware for a quick attack that strikes before a patch appears--a bit like adding the latest targeting system to an existing missile.
Attackers did just that with the PowerPoint hole, which affects versions 2000, 2002, and 2003. As with the other Office flaws mentioned here, if you open a poisoned file from a Web site or an e-mail attachment, an attacker can take control of your PC. By the time you read this, Microsoft should have devised a patch for the vulnerability and sent it via Automatic Updates. For further details, read Microsoft Security Advisory 922970.
The new PowerPoint hole is much like the Excel holes that I discussed last month, which the last set of Automatic Updates corrected. You can get the Excel fixes and more information from Microsoft Security Bulletin MS06-037.
A second Office patch, also sent via Automatic Updates, eliminates three other holes in the major apps of Office 2000 through 2003. The risk is rated critical only for Office 2000, and important for other Office versions. The difference, however, is just that you get a minimal pop-up warning if you try to open a poisoned file, so get the update regardless of your version. For more details, read Microsoft Security Bulletin MS06-038.
Finally, Microsoft has fixed two critical holes involving the way both Office and Works handle the display of certain image formats--specifically, Portable Network Graphics (PNG) and Graphics Interchange Format (GIF). No attacks occurred prior to Microsoft's release of the patch; and again, the patch is critical only for Office 2000. You can get it via Automatic Updates or from Microsoft Security Bulletin MS06-039.