PowerPoint vulnerabilities galore
The problems seen after the last Microsoft patch day are now becoming a regular feature - once again, shortly after the release of security updates for Excel, PowerPoint and Word, a new exploit has emerged which takes advantage of a previously unknown vulnerability. This time it's again PowerPoint 2003 which is affected. According to the Microsoft Security Response Center, the exploit is currently at the proof of concept stage. So far no prepared documents capable of infecting a PC on being opened have been sighted on the internet. It should be anticipated, however, that this will soon change.
There is method to the timing - "crimeware gangs" have adjusted to Microsoft's release cycle and make use of exploits for vulnerabilities they have discovered but which have not yet been patched shortly after the patch day. They then have four weeks until the next patch day in which users are susceptible to these vulnerabilities - unless Microsoft distributes unplanned updates. Nonetheless, over the last few months prepared office documents have only been used for relatively targeted attacks by e-mail. The majority of users do not therefore seem to be in direct danger, which invites the speculation that Microsoft will take their time in the run up to the November patch day. On Tuesday of this week, the Redmond company fixed four more vulnerabilities in PowerPoint, Excel and Word.
Users should open unrequested Office documents only with extreme caution and in case of doubt should contact the sender. Alternatively they could use for example OpenOffice.
- PoC published for MS Office 2003 PowerPoint, report by the Microsoft Security Response Center
- Microsoft confirms new vulnerability in PowerPoint, report on heise Security
- Trojan penetrates Windows PCs via undocumented PowerPoint vulnerability, report on heise Security
- Zero day exploit for PowerPoint, report on heise Security
- Microsoft confirms vulnerability in Word 2000, report on heise Security
- New trojan for zero day exploit in MS Office 2000, report on heise Security