from Greg Keizer
An unpatched bug in Microsoft’s PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users.
According to the Cupertino, Calif. security vendor’s threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the “zero-day” attack is successful, the hacker gains complete control of the compromised computer.
The attack is carried out by a Trojan horse with the moniker “PPDDropper.b,” which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed “Bifrose.e” by Symantec. Bifrose.e then injects a malicious routine into Windows’ EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document.
“The attackers are trying to slide under the radar,” said David Cole, the director of Symantec’s security response center. “Once they get onto a PC, they think if they delete the infected file there’s less chance of getting caught.
“They’re trying to get rid of the evidence, throw away the crowbar they used to wedge the door open,” Cole added.
That part of the process is identical to one used last month by a now-patched Excel attack. In fact, said Cole, there were several other similarities between the Excel and PowerPoint exploits.
“Both use a two-step attack, a dropper Trojan and a backdoor,” he said. “Both were launched by messages written in Chinese.”
The similarities led Cole to believe that the two attacks could be the work of the same group. “That’s as much as we could say, though, at this point.”
Unlike the Excel bug, the PowerPoint flaw — confirmed only in PowerPoint 2003 thus far — remains open to attack. Microsoft issued three security updates Tuesday to fix various versions of Office and its applications, but the Thursday bug was not among the 13 flaws patched.
Microsoft’s Office suite has faced a number of attacks and owned up to numerous vulnerabilities in the last two months. In May, a serious bug in Microsoft Word was used in by hackers to target one or more corporations. During June, several flaws were disclosed in the suite’s Excel spreadsheet.
“The attention to Office underlines the shift toward target attacks,” Cole said. “If espionage and data theft are why attacks take place, what format is that data in? Microsoft Office. It’s really that simple.”
Symantec advised users to avoid opening PowerPoint documents received via e-mail until a patch was issued by Microsoft; its researchers also told users to consult the mitigation tactics laid out in the MS06-038 security bulletin posted Tuesday on the Microsoft Web site.
Microsoft did not immediately respond to a request for confirmation from its Security Response Center (MSRC).