In association with heise online

13 July 2006, 22:10

Zero-day exploit for PowerPoint

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Office users have their work cut out for them: once again, attackers have found a way to exploit a previously unknown weak point in a program of Microsoft's office software suite just a day after patch day. This time, Symantec has found a manipulated PowerPoint presentation that installs a variation of Backdoor.Bifrose.E on PCs. Symantec has named the malicious PowerPoint presentation Trojan.PPDropper.B.

No pun intended, but attackers seem to have an arsenal of holes up their sleeves that they can exploit any time they want; apparently, they have only been using a few of them. They wait until patch day to pull out their tricks, because they know that they then have around four weeks of breathing space to inject malicious code.

A few years ago, macroviruses were a popular way of injecting malicious code, but standard program settings have improved so much that this risk is almost negligible today. Nowadays, most users no longer hold Office documents to be potentially malicious and thus open them unsuspectingly. After all, who doesn't get strange documents from friends every now and again? People have come to rely on virus scanners to block any malicious documents.

But Andreas Marx of AV-Test warns users not to rely too heavily on antivirus software. In his tests, he found that a number of antivirus software vendors merely use a checksum of discovered malicious documents for the checks. All an attacker has to do to prevent a number of these scanners from finding the contaminant is change just one bit in the document. Marx also found that the other antivirus vendors needed a lot of time to provide generic signatures.

In its security blog, Microsoft only spoke of a "single report" about the weak points in Excel exploited after patch day in June. In other words, this bulletin has not been updated with the latest information about the spread of exploits and the danger that stems from this hole even though Marx knows of at least 30 different versions of manipulated files that company employees have received in the meantime. The people sending out specially prepared Office documents seem not to have been focusing on private users. The authors of the malicious documents are probably involved in industrial espionage because the documents seem to be sent to a select group of companies.

Fending off such attacks turns out to be difficult. Companies often exchange Office documents, making a general filter at the gateway impracticable. Manipulated documents can only be filtered out if the exploits they are based on are already known. While working with limited user rights does restrict the damage that contaminants can do by preventing them from becoming embedded deep in a system, they can nevertheless read, send, and destroy local Office documents - and enter them in the user's autolaunch.

By using a continually updated antivirus product on the desktop, that is from a different vendor than the gateway scanner, you can at least increase your chances of detecting the malicious documents with one of the two solutions. In addition Marx recommends using NX memory protection, even if only as a software solution, to help minimize the effects of buffer overflows. Finally, awareness must be raised among employees; while most users know that a .exe file should not be executed, the general understanding of malicious Office documents is not as widespread.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit