Published July 19, 2006
In the midst of back-to-back zero-day attacks against select businesses in the Far East, Microsoft on July 17 released a security advisory with a terse message: Do not open or save unexpected Microsoft Office files, even if they come unexpectedly from a trusted source.
The company's advisory comes less than a week after virus hunters discovered that a previously undocumented flaw in Microsoft PowerPoint was being exploited to plant a keystroke logger on infected Windows systems.
Microsoft confirmed that the vulnerability exists in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003, and said a patch is being developed and tested for release on August 8.
"In order for this attack to be carried out, a user must first open a malicious PowerPoint document attached to an e-mail or otherwise provided to them by an attacker," the Redmond, Wash., software giant said.
There are no pre-patch workarounds in the advisory. Instead, Microsoft said Windows users should avoid opening or saving Office files, especially those that arrive from untrusted sources.
If an Office file — Word, Excel or PowerPoint — arrives unexpectedly from a trusted source, the advice remains the same.
Because these file types are widely used for everyday business activities, Microsoft's suggested actions may appear impractical, but independent security researchers say enterprises with valuable data stored on client machines should warn employees about the associated risks of opening strange documents.
The latest PowerPoint attack, which was launched just 24 hours after the July Patch Tuesday, includes the use of a Trojan horse program called Trojan.PPDropper.B that arrives via e-mail from a GMail address.
The subject line of the e-mail and the .ppt file name are in Chinese characters, suggesting that the attacks are emanating from — and attacking targets — in the Far East.
Anti-virus vendor Sophos, headquartered in Abingdon, England, says the rigged PowerPoint presentation includes 18 slides purporting to contain "humorous" philosophy about love between men and women.
If the PowerPoint attachment is opened, the Trojan drops and executes a variant of Backdoor.Bifrose.E, a keystroke logger that is used to steal sensitive information and send it back to a remote server controlled by malicious hackers.
The Trojan also injects a malicious routine into the Explorer.exe process that overwrites the malicious PowerPoint file with a new clean copy of the document. Anti-virus researchers believe this tactic is used to wipe traces of the computer breach.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Copyright © 2006 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.