Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Powerpoint, yet another new vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Powerpoint, yet another new vulnerability
Microsoft confirms yet another powerpoint vulnerability that leads to code execution.

References

Detection

McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.

Affected

It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.

Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...

Defenses

  • Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
  • Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
  • Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...
If you do run into a sample we're interested in obtaining one (to add to our collection ;-) )

--
Swa Frantzen -- Section 66

 Swa

760 Posts
Sep 28th 2006
Thread locked Subscribe Sep 28th 2006
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!