Attackers exploit critical PowerPoint vulnerability
'We missed this bug,' Microsoft admits, but doesn't commit to a patch
Computerworld - For the second time in five weeks, Microsoft Corp. warned that hackers were exploiting a critical unpatched bug in its popular Office application suite.
In a pre-patch security advisory issued late yesterday, Microsoft confirmed that attackers were using rigged PowerPoint files to trigger the vulnerability in older editions of the presentation maker. In fact, several different exploits are on the prowl, said company researchers Cristian Craioveanu and Ziv Mador in a posting to the Microsoft Malware Protection Center's blog.
Microsoft spokesman Bill Sisk downplayed the threat. "At this time, Microsoft is only aware of limited and targeted attacks that attempt to use this vulnerability," he said in an e-mail.
Unlike five weeks ago, when Sisk said the same thing about a "zero-day" flaw in Excel, Microsoft's spreadsheet software, he didn't explicitly promise that the company would patch the problem.
"Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs," he said Thursday. The Excel vulnerability has not yet been patched.
Yesterday's bug affects PowerPoint 2000, PowerPoint 2002 and PowerPoint 2003 on Windows, and the edition included with Office 2004 for Mac. According to Microsoft, the vulnerability is in the way that PowerPoint parses the older file format used by those versions, and can be used by attackers to run additional malware and hijack the PC.
"The question is, when will it end?" said Andrew Storms, director of security operations at nCircle Network Security Inc., referring to the regular disclosure of vulnerabilities in Office applications' file formats. "They'll probably never find all of the vulnerabilities in the file formats," he continued, "because they may not be going back into these older products to [test] them with newer fuzzers."
"Fuzzer" is the term for security development software that hammers on application inputs in an attempt to find weak spots.
"It's more likely that they're fuzzing the newer products," Storms added. "So we don't know if it's something they missed or just something they hadn't been able to find with newer fuzzers."
Other Microsoft researchers acknowledged that they had overlooked the PowerPoint vulnerability.
"The malware samples ... exploiting this vulnerability are the first reliable exploits we have seen in the wild that infect Office 2003 SP3 with the latest security updates," said Bruce Dang and Jonathan Ness, two engineers at the Microsoft Security Response Center. "Office 2003 SP3 had a good run being safe from the bad guys, but we missed this bug while back-porting fixes found in the Office  fuzzing effort to Office 2003 SP3," they said in another blog posting Thursday afternoon.
- Microsoft sets record with monster Windows, IE, Office update
- Preston Gralla: Five ways Apple said to fail on security
- Microsoft confirms serious IIS bug, downplays threat
- Apple delivers jumbo security update for Mac OS X
- Microsoft delivers mega PowerPoint patch
- Attackers exploit critical PowerPoint vulnerability
- Microsoft patches huge Windows 7 RC bug
- Image spam returns with a vengeance
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts