13 October 2006, 17:09

PowerPoint vulnerabilities galore

The problems seen after the last Microsoft patch day are now becoming a regular feature - once again, shortly after the release of security updates for Excel, PowerPoint and Word, a new exploit has emerged which takes advantage of a previously unknown vulnerability. This time it's again PowerPoint 2003 which is affected. According to the Microsoft Security Response Center, the exploit is currently at the proof of concept stage. So far no prepared documents capable of infecting a PC on being opened have been sighted on the internet. It should be anticipated, however, that this will soon change.

There is method to the timing - "crimeware gangs" have adjusted to Microsoft's release cycle and make use of exploits for vulnerabilities they have discovered but which have not yet been patched shortly after the patch day. They then have four weeks until the next patch day in which users are susceptible to these vulnerabilities - unless Microsoft distributes unplanned updates. Nonetheless, over the last few months prepared office documents have only been used for relatively targeted attacks by e-mail. The majority of users do not therefore seem to be in direct danger, which invites the speculation that Microsoft will take their time in the run up to the November patch day. On Tuesday of this week, the Redmond company fixed four more vulnerabilities in PowerPoint, Excel and Word.

Users should open unrequested Office documents only with extreme caution and in case of doubt should contact the sender. Alternatively they could use for example OpenOffice.