5 replies to this topic

[AplusWebMaster]

FYI...

- http://www.techweb.c...urity/190400030
July 13, 2006
"An unpatched bug in Microsoft's PowerPoint presentation maker is being exploited by an in-the-wild attack, Symantec researchers said Thursday, marking the latest bad news for Office users. According to the Cupertino, Calif. security vendor's threat analysis team, attacks are currently under way using an unpatched vulnerability in PowerPoint. If the "zero-day" attack is successful, the hacker gains complete control of the compromised computer. The attack is carried out by a Trojan horse with the moniker "PPDDropper.b"* which hides inside a malicious PowerPoint file attached to an e-mail with a Google Gmail return address. PPDDropper.b, in turn, drops a backdoor component, dubbed "Bifrose.e" by Symantec. Bifrose.e then injects a malicious routine into Windows' EXLORER.EXE process, and overwrites the malformed PowerPoint file with a new, clean presentation document... That part of the process is identical to one used last month by a now-patched Excel attack... Unlike the Excel bug, the PowerPoint flaw -- confirmed only in PowerPoint 2003 thus far -- remains open to attack. Microsoft issued three security updates Tuesday to fix various versions of Office and its applications, but the Thursday bug was not among the 13 flaws patched..."

* http://www.symantec....-071212-4413-99
Trojan.PPDropper.B
Risk Level 1: Very Low
"...It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string..."

[AplusWebMaster]

FYI...

- http://secunia.com/v...72/ppdropper.b/
#1 - SYMANTEC
Trojan.PPDropper.B
Severity: 1/5 ...
Reported: 2006-07-12 14:40
Last Update: 2006-07-13 07:20
Description: Trojan.PPDropper.B is a Trojan horse that drops a file on the compromised computer. It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string...
Full Report From Vendor...
ChangeLog:
Changes are listed in chronological order with the latest changes first.
2006-07-13 07:20 Description was changed.
New:
"Trojan.PPDropper.B is a Trojan horse that drops a file on the compromised computer. It spreads by exploiting an undocumented Microsoft Powerpoint Remote Code Execution Vulnerability using a malformed string."
Old:
"Trojan.PPDropper.B is a Trojan horse that exploits a vulnerability in Microsoft Office PowerPoint and drops an executable that opens a back door on the compromised computer.""

"...# Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses..."

[AplusWebMaster]

FYI...

MSRC blog - Information on the recent Powerpoint vulnerability
- http://blogs.technet.../14/441893.aspx
"...We’ll be documenting this through the weekend in the form of a security advisory and will post it as soon as we are confident in the protection steps (we’re targeting Monday morning)..."

- http://cve.mitre.org...e=CVE-2006-3590
Assigned (20060714)
"...Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a "memory corruption error..."

- http://www.kb.cert.org/vuls/id/936945

[AplusWebMaster]

FYI...

- http://isc.sans.org/...=1&storyid=1484
Last Updated: 2006-07-15 00:03:53 UTC ...(Version: 3)
"...Most of the major AV vendors received samples of the infected PPT file and added detection for it so far. However, this doesn't mean that you can completely relax now – while we don't know what part of the infected PPT file they use for detection, it is quite possible that new exploits for this same vulnerability (once and if they are released) will not be detected properly (we've seen this before with other vulnerabilities in Microsoft Office product, Excel for example). At this moment we are not sure exactly which versions of Microsoft PowerPoint are affected by this vulnerability. It looks like all versions 2000 through to 2003 are vulnerable. We also can't confirm whether the PowerPoint Viewer utility is or isn't affected...

UPDATE 2 07/14/2006
Three (!!!) PoCs for this vulnerability(ies) have just been publicly posted. From what we can tell at the moment, they all just crash PowerPoint, but they show where the vulnerabilities are, so a full exploit can be written. This is a first step to remote exploitation so we can unfortunately expect to see some malware using this very soon (and we though it will be another quiet weekend). Again, stress out to users how important it is to be very careful when opening PowerPoint files (and if possible, don't open them at all until the patch is out). Otherwise you'll have to rely on your desktop anti-virus product to catch the dropped component, and we all know how (un)reliable this can be."

- http://secunia.com/advisories/21040/
Release Date: 2006-07-14
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched ..."

Edited by AplusWebMaster, 15 July 2006 - 05:10 AM.

[AplusWebMaster]

FYI...

- http://www.f-secure....6.html#00000922
July 17, 2006
"...The bad guys are taking advantage of three things:
The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.
The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.
And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported."

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/21061/
Release Date: 2006-07-18
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Unpatched
...The vulnerability has been confirmed on Windows XP SP2 with a fully patched PowerPoint 2003. Other versions may also be affected.
NOTE: Two other issues, which can be exploited to crash the application, have also been reported.
Solution:
Do not open untrusted Office documents..."

- http://cve.mitre.org...e=CVE-2006-3660
- http://cve.mitre.org...e=CVE-2006-3656
- http://cve.mitre.org...e=CVE-2006-3655

> http://forums.tomcoy...iew=getlastpost

Edited by AplusWebMaster, 18 July 2006 - 07:35 AM.