Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92396 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

New Zero-day PowerPoint Attack (via Trojan) Under Way


  • Please log in to reply
5 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 13 July 2006 - 01:53 PM

FYI...

- http://www.techweb.c...urity/190400030
July 13, 2006
"An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users. According to the Cupertino, Calif. security vendor's threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the "zero-day" attack is successful, the hacker gains complete control of the compromised computer. The attack is carried out by a Trojan horse with the moniker "PPDDropper.b"* which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed "Bifrose.e" by Symantec. Bifrose.e then injects a malicious routine into Windows' EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document... That part of the process is identical to one used last month by a now-patched Excel attack... Unlike the Excel bug, the PowerPoint flaw -- confirmed only in PowerPoint 2003 thus far -- remains open to attack. Microsoft issued three security updates Tuesday to fix various versions of Office and its applications, but the Thursday bug was not among the 13 flaws patched..."

* http://www.symantec....-071212-4413-99
Trojan.PPDropper.B
Risk Level 1: Very Low
"...It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string..."

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 July 2006 - 09:34 AM

FYI...

- http://secunia.com/v...72/ppdropper.b/
#1 - SYMANTEC
Trojan.PPDropper.B
Severity: 1/5 ...
Reported: 2006-07-12 14:40
Last Update: 2006-07-13 07:20
Description: Trojan.PPDropper.B is a Trojan horse that drops a file on the compromised computer. It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string...
Full Report From Vendor...
ChangeLog:
Changes are listed in chronological order with the latest changes first.
2006-07-13 07:20 Description was changed.
New:
"Trojan.PPDropper.B is a Trojan horse that drops a file on the compromised computer. It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string."
Old:
"Trojan.PPDropper.B is a Trojan horse that exploits a vulnerability in Microsoft Office PowerPoint and drops an executable that opens a back door on the compromised computer.""

"...# Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses..."

:oops:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 July 2006 - 05:02 PM

FYI...

MSRC blog - Information on the recent Powerpoint vulnerability
- http://blogs.technet.../14/441893.aspx
"...We’ll be documenting this through the weekend in the form of a security advisory and will post it as soon as we are confident in the protection steps (we’re targeting Monday morning)..."

- http://cve.mitre.org...e=CVE-2006-3590
Assigned (20060714)
"...Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a "memory corruption error..."

- http://www.kb.cert.org/vuls/id/936945

:ph34r:

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 July 2006 - 06:45 PM

FYI...

- http://isc.sans.org/...=1&storyid=1484
Last Updated: 2006-07-15 00:03:53 UTC ...(Version: 3)
"...Most of the major AV vendors received samples of the infected PPT file and added detection for it so far. However, this doesn't mean that you can completely relax now – while we don't know what part of the infected PPT file they use for detection, it is quite possible that new exploits for this same vulnerability (once and if they are released) will not be detected properly (we've seen this before with other vulnerabilities in Microsoft Office product, Excel for example). At this moment we are not sure exactly which versions of Microsoft PowerPoint are affected by this vulnerability. It looks like all versions 2000 through to 2003 are vulnerable. We also can't confirm whether the PowerPoint Viewer utility is or isn't affected...

UPDATE 2 07/14/2006
Three (!!!) PoCs for this vulnerability(ies) have just been publicly posted. From what we can tell at the moment, they all just crash PowerPoint, but they show where the vulnerabilities are, so a full exploit can be written. This is a first step to remote exploitation so we can unfortunately expect to see some malware using this very soon (and we though it will be another quiet weekend). Again, stress out to users how important it is to be very careful when opening PowerPoint files (and if possible, don't open them at all until the patch is out). Otherwise you'll have to rely on your desktop anti-virus product to catch the dropped component, and we all know how (un)reliable this can be."

- http://secunia.com/advisories/21040/
Release Date: 2006-07-14
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ..."

:ph34r:

Edited by AplusWebMaster, 15 July 2006 - 05:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 July 2006 - 05:17 AM

FYI...

- http://www.f-secure....6.html#00000922
July 17, 2006
"...The bad guys are taking advantage of three things:
The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.
The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.
And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported."

:(

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 July 2006 - 05:03 AM

FYI...

- http://secunia.com/advisories/21061/
Release Date: 2006-07-18
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
...The vulnerability has been confirmed on Windows XP SP2 with a fully patched PowerPoint 2003. Other versions may also be affected.
NOTE: Two other issues, which can be exploited to crash the application, have also been reported.
Solution:
Do not open untrusted Office documents..."

- http://cve.mitre.org...e=CVE-2006-3660
- http://cve.mitre.org...e=CVE-2006-3656
- http://cve.mitre.org...e=CVE-2006-3655

> http://forums.tomcoy...iew=getlastpost

:ph34r:

Edited by AplusWebMaster, 18 July 2006 - 07:35 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users