By Joris Evers
Staff Writer, CNET News.com
July 13, 2006
Deja vu? Only a day after Microsoft's monthly patch day, a new security
hole in Microsoft Office is being exploited in cyberattacks.
These attacks take advantage of a previously unknown vulnerability in
PowerPoint for which no patch is available, security experts at Symantec
said in an alert issued Wednesday. The flaw might affect Microsoft Office
in general, according to the alert.
Microsoft is investigating the issue, it said in an e-mailed statement
Thursday. The company is aware of attacks that exploit the flaw, but those
are "extremely limited, targeted attacks," it said. For an attack to be
successful, users must open a malicious PowerPoint file provided to them,
for example via e-mail, Microsoft noted.
It seems like history is repeating itself. Days after last month's "Patch
Tuesday," security experts raised the alarm on a "zero-day" flaw in
Microsoft's Excel that was being used in targeted attacks. Microsoft
released a fix for the Excel vulnerability on Tuesday.
Like the Excel flaw, the PowerPoint vulnerability can allow an attacker to
gain complete control over a vulnerable PC, Symantec said. "When a user
launches the (malicious) PowerPoint document, the vulnerability is
triggered. Successful exploitation of this issue leads to remote code
execution," Symantec said in its alert.
On Tuesday, Microsoft released seven security bulletins with fixes for 18
vulnerabilities in several of its products, including many in Office. Some
security experts believe the timing of an attack right after a monthly
patch day is no coincidence. Microsoft typically does not release fixes
outside of its monthly patching cycle for such flaws.
"It looks like the bad guys are waiting for the Microsoft patch days in
order to use some more vulnerabilities in Office," said Andreas Marx, an
antivirus software specialist at the University of Magdeburg in Germany.
"They will now have at least one more month for their attacks."
Microsoft said it will take action to protect customers upon completion of
its investigation into the new flaw. This may include issuing a security
advisory or providing a security update through its monthly release
process, the company said.
Meanwhile, the software giant left two already known security
vulnerabilities unfixed on Tuesday. One of the flaws lies in a Windows
component called "hlink.dll" and could be exploited by crafting a
malicious Excel file. Another affects Japanese, Korean and Chinese
language versions of Excel. Both flaws could completely compromise a PC if
a targeted user opens a malicious file.
Although Microsoft was aware of the two vulnerabilities prior to the July
security bulletin release, both issues were reported too late in the
engineering process for the company to include security updates with the
July release, a Microsoft spokesman said.
Proof of concept code that exploits both flaws has been released publicly
for both of these flaws, but there are no reports of active attacks,
"So we have two old unpatched holes and one new one," Marx said. "We're up
to three troublemakers now. Excel and PowerPoint can be quite dangerous,
at least until the next patch day."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.