Beware of malware-loaded PowerPoint files

Stephen Withers
Monday, 06 April 2009 10:03

Your IT - Home IT

A fresh wave of malicious documents are being used in targeted attacks on Microsoft Office users. This time, PowerPoint is the vehicle.

Microsoft warned late last week of "limited and targeted attacks" attempting to exploit an unpatched vulnerability in several versions of PowerPoint.

Opening a maliciously crafted PowerPoint file can result in the execution of remote code.

According to Microsoft's Security Research and Defense blog, the malware targeting this vulnerability is the first reliable exploit for Office SP3 with the latest security updates.

Also affected by the vulnerability are PowerPoint 2000, 2002 and 2004. PowerPoint 2007 is not affected.

Microsoft officials say that several different exploit files have been seen, but so far they have only been used for targeted attacks. When the malicious documents are opened, they attempt to drop additional malware onto the computer.

Microsoft's Bill Sisk said the company "Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

The next monthly update is scheduled for Tuesday April 14.

Workarounds include blocking the use of binary PowerPoint files in favour of the XML based .pptx and related formats, or forcing binary PowerPoint files to open in MOICE (Microsoft Isolated Conversion Environment). That tool does not have the vulnerability that's being exploited, and therefore can be safely used to convert binary PowerPoint files to their Office Open XML equivalent.

Microsoft has updated Windows Live OneCare and Forefront to detect the exploit files. The company is working with other security vendors to provide broader detection.