Published:
April 14 2009, 12:00 AM
by
Mary Grace Gabriel
Today is April 14 and the day commonly known as "Patch Tuesday". In its Advance Security Bulletin last Friday, Microsoft Security Response Center (MSRC) gave advance notice that today’s release will include patches for five critical flaws (including those affecting Internet Explorer and Excel, the latter zero day since February 2009) but there was no mention of PowerPoint. So, the PowerPoint vulnerability will remain zero day until next month unless Microsoft releases an out-of-band patch.
Latest Microsoft PowerPoint Flaw
In February I posted a blog about a Microsoft Excel vulnerability that could allow remote code execution if a user opened a specially-crafted Excel file. Now it seems Microsoft PowerPoint is next in line; we have received several samples that contain a new Microsoft Office zero day exploit.
On April 2, 2009 Microsoft published Microsoft Security Advisory 969136, disclosing information about a Microsoft PowerPoint vulnerability that could allow remote code execution if a user opens a specially-crafted PowerPoint file. The vulnerability, also known as CVE-2009-0556, remains un-patched while Microsoft investigates the case.
Judging by the volume of malware arriving in our lab, malware authors are eager to exploit the vulnerability before Microsoft releases the patch. We have received a number of PowerPoint files that attempt to exploit the vulnerability in order to drop additional malware on the target system.
When you open one of these malicious slideshows the content appears to be innocent but behind the scenes this culprit is busy dropping and executing malware on your system. The following images show the first slide from each of a selection of malicious Microsoft PowerPoint files that we have received so far.
Figure 01 shows the first slide of a slideshow depicting naked women in a bathing pool. It’s pretty obvious that curiosity will get the better of many people in this case.
[Figure 01 – Nude bathers]
Figure 02 shows the first slide of a slideshow regarding Earth Hour. With so many people around the world interested in doing their bit against Global Warming, this would also attract many viewers.
[Figure 02 – Earth Hour]
Figure 03 shows the first slide of a slideshow depicting celebrities without their makeup. Judging by the number of these types of photos appearing in magazines these days, this slideshow is also likely to be very popular.
[Figure 03 – Celebrities without makeup]
Figure 04 shows the first slide of a slideshow consisting of some random graphic images; not particularly interesting in any way.
[Figure 04 - Random Graphic]
This vulnerability affects the following Microsoft products:
- Office PowerPoint 2004 for Mac
- Office PowerPoint 2000 SP3
- Office PowerPoint 2002 SP3
- Office PowerPoint 2003 SP3
CA detects these malicious PowerPoint files as PPT97/PPDropper.G. To protect your machine against infection, never open a PowerPoint file from an un-trusted source. This especially applies while this vulnerability remains un-patched. Always update your security product signature files and your operating system!