PowerPoint exploit adds to Microsoft’s busy week

Another exploit for a popular Microsoft program has been found in the wild during an already hectic week for the software giant.

Experts from McAfee's Avert Labs said on a company blog this week that they found a new exploit for Microsoft PowerPoint in the wild.

Microsoft Office 2000, XP and 2003 are affected by the exploit, virus researcher Craig Schmugar said on Avert Labs' blog.

News of the new exploit came during a week when Redmond had already released an early patch for a flaw in Internet Explorer (IE) on Tuesday. Multiple attack vectors had been used to exploit that flaw.

McAfee researchers believe the exploit is part of a targeted attack, since a single target of the exploit has been discovered, he said.

Schmuger told today that the exploit could become more dangerous if its target scope widens.

"The flaw itself we rate as critical because remote code execution is possible and (hackers) could put whatever malware they want in a system," he said. "Right now, this is pretty contained, but as far as what it could do, it's pretty severe."

Microsoft's anti-virus (AV) products had just added detection for the malware on Saturday, according to McAfee.

When the trojan loads into PowerPoint, it runs a .exe file and installs two .dll files, which then get injected into Internet Explorer (IE) and post information to a malicious site.

McAfee said the risk to home and corporate users is low.

A Microsoft spokesperson said today that the company is investigating reports of limited zero-day attacks and will take appropriate action, and said the exploit affects PowerPoint versions 2000, 2002, 2003, 2004 for Mac and 2004 v. X for Mac.

"In order for this attack to be carried out, a user must first open a malicious Microsoft PowerPoint document that is sent as an email attachment or otherwise provided to them by an attacker," said the spokesperson.

Earlier this week, researchers at Sunbelt Software discovered a new zero-day exploit affecting IE and requiring no user interaction.

Researchers found two pornographic websites hosting the exploit, caused by a buffer overflow impacting the DirectAnimation Path ActiveX control.

Click here to email Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.