July 13, 2006
"An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users. According to the Cupertino, Calif. security vendor's threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the "zero-day" attack is successful, the hacker gains complete control of the compromised computer. The attack is carried out by a Trojan horse with the moniker "PPDDropper.b"* which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed "Bifrose.e" by Symantec. Bifrose.e then injects a malicious routine into Windows' EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document... That part of the process is identical to one used last month by a now-patched Excel attack... Unlike the Excel bug, the PowerPoint flaw -- confirmed only in PowerPoint 2003 thus far -- remains open to attack. Microsoft issued three security updates Tuesday to fix various versions of Office and its applications, but the Thursday bug was not among the 13 flaws patched..."
Risk Level 1: Very Low
"...It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string..."