No hole in PowerPoint after all
Warnings about a supposed new hole in PowerPoint are currently making the rounds. These reports are based on a description by hardware maker Trend Micro of the trojan TROJ_MDROPPER.BH, which purportedly exploits a previously unknown hole in PowerPoint. The Internet Storm Center alluded to this in its diary, which the security portal Securiteam took as an impetus to release an FAQ about the problem. This in turn was posted to various security mailing lists – clearly without the authors ever having examined a sample of the pest themselves. A new CVE entry was even created, claims Juha-Matti Laurio, the author of the FAQ.
In the meantime, however, Trend Micro has updated its description of the trojan. That document reports that the malware exploits a hole in Office, (MS06-012), that was reported back in March and which has long since been closed on most Windows computers. A test by the heise Security editorial staff with a sample of the trojan on Windows XP SP2 confirmed this. Nothing happened. Microsoft released statements to the US media that their own analysis had also determined that an old hole was involved.
The danger of an infection can hence be deemed relatively low. But it is not yet time for a general all-clear. Few virus scanners recognised the new trojan as of yesterday. Users who install Office at a later date should make certain that Windows has installed the patches via automatic update.
- Microsoft PowerPoint 0-day Vulnerability FAQ - August 2006,, Description from Securiteam
- TROJ_MDROPPER.BH, Description from Trend Micro