Patch/Configuration Management, Vulnerability Management

Exploit uses PowerPoint flaw in targeted attacks

Microsoft PowerPoint users were warned this week about a new exploit that takes advantage of a zero-day flaw in the program to drop a malicious file onto a compromised computer.

Symantec, which first warned PC users about the trojan, called PPDropper.B, on Wednesday, said in an advisory that the exploit had infected a low number of users.

The flaw was not fixed in this month's Microsoft Patch Tuesday release, which contained seven new fixes.

Dave Cole, director of Symantec Security Response, said Friday that "the (exploit release's) timing seems to be conspicuous, to say the least."

"This has been very limited – one customer, maybe two tops," he said. "It's very similar to other attacks. It's very targeted, using zero-day exploits working against Microsoft Office. It's looking to gain intellectual property, and it's opening up a generic backdoor."

Microsoft is investigating the flaw, and urges any affected users to contact product support at 1-866-PCSAFETY or

Microsoft is aware of extremely limited, targeted attacks exploiting this vulnerability," said a Microsoft spokesman. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs," said a Microsoft spokesman."

Microsoft released a batch of seven patches this week. Four of the fixes were for Microsoft Windows and three were for Microsoft Office, including a fix for a zero-day flaw in Microsoft Excel.

Last month, the Redmond, Wash., company released a giant, 12-patch group of fixes, which was followed by an exploit for the Excel flaw.

Sophos warned about the exploit in an advisory, saying it contains philosophy intended to be humorous about relationships between men and women.

Ron O'Brien, senior security analyst with Sophos, said today that the exploit trojan itself seems to be rather typical, but it's timing makes it more dangerous.

"Anytime that a trojan turns off anti-virus applications, we always take that into consideration because that means someone is putting obvious thought into what they're doing," he said. ‘This seems to have a very low prevalence, and its unfortunate that Microsoft has just done a series of patches, so we'll have to wait a month for another series."

The SANS Institute's Internet Storm Center said Friday that a group of Chinese hackers appears to be exploiting flaws for numerous programs within Microsoft Office.

"And the fact that they are releasing their stuff immediately after Microsoft released the patches certainly doesn't help," noted SANS researcher Bojan Zdrnja on the ISC website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.