Unpatched Powerpoint Flaw Exploited
18th Jul 2006, 14:06 GMT
Online criminals are taking advantage of an unpatched security hole in Microsoft's Office products again. Security experts say they've spotted a flaw in the Powerpoint slide-presentation program being exploited in the wild. This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack. Andreas Marx of AV-Test.org notes that hackers appear to be surfacing with new exploits just days after Microsoft's monthly Patch Tuesday cycle has passed, possibly to have more time to exploit vulnerable systems before Redmond issues its next round of updates. Marx said he "just got involved in an industry espionage case where this particular unpatched flaw was used to steal a lot of data." Marx said the loss to corporations from such attacks is immeasurable if competitors gain access to confidential documents or proprietary information. No word yet from Microsoft about this Powerpoint problem, but I will update this blog with more information should Redmond issue an advisory. As usual, be extremely judicious about downloading and opening attachments that arrive via e-mail. And if all of this Office craziness has you spooked, you might consider switching over to OpenOffice , an open-source and free alternative. It looks and feels a lot like MS Office, and can do pretty much everything Microsoft's products can. If you're interested and would like a primer on OpenOffice, check out this writeup. Update, July 17, 10:20 p.m. ET: Microsoft this evening issued an advisory on this vulnerability, which it said affects PowerPoint 2000, 2002, and 2003, and that it hoped to have a patch released for it by Aug. 8 or sooner. Microsoft says the flaw is not present in its PowerPoint Viewer 2003 application, which is free. I should note, however, that Microsoft made a similar claim about a Word vulnerability that it first detailed in a remarkably similar advisory in May. At the time, Redmond said its Word Viewer application wasn't vulnerable to the attack, but when it finally released June's batch of patches, it came out that the viewer was in fact also exploitable.
Unpatched Powerpoint Flaw Exploited related news:
- Unpatched Powerpoint Flaw Exploited — Security Fix
- New Zero-day PowerPoint Attack Under Way — Systems Management Pipeline
- PowerPoint ZeroDay Vulnerability Exploited — Slashdot
- Microsoft to plug PowerPoint hole — ZDNet News - Front Door
- New PowerPoint flaw used in attacks — Computerworld Breaking News
- When PowerPoint presentations attack — The Register - Security
- Sophos: Firms wait for Microsoft fix for day zero PowerPoint flaw — noticias.info
- Sophos: Chinese words of love exploit PowerPoint day zero flaw — noticias.info
- PowerPoint flaw opens attack door — Techworld.com Security News
- Chinese Words of Love Exploit PowerPoint Day Zero Flaw — Kansas City infoZine Computer Headlines