Last Updated: 2009-04-03 21:03:28 UTC
by Lenny Zeltser (Version: 3)
Several ISC readers shared with us a link to Microsoft's advisory 969136, which describes a zero-day vulnerability in PowerPoint.
You can also find the description of the exploit observed in the wild on the Microsoft Malware Protection Center blog, and additional technical details on the Microsoft Security Research & Defense blog. Kudos to Microsoft for being so transparent about the incidents! (Thanks for the links, Juha-Matti.)
The CVE placeholder for this vulnerability is CVE-2009-0556 (not live as of this writing).
If you have observed the exploit in the wild and can share the details with us, please let us know.
Update 1: Sergio de los Santos shared with us the SHA-1 hashes VirusTotal received of the known malicious PPT files that exploit this vulnerability:
Update2: An ISC reader highlighted the effectiveness of the latest version of the Microsoft Office Isolated Conversion Environment (MOICE) to converting "legacy" binary formats of Office documents to XML-based formats. XML versions of Office documents are less likely to carry exploits. Microsoft recommends using MOICE prior to opening Office documents that arrive in binary formats from unfamiliar parties. I'm skeptical about the practicality of rolling out and supporting MOICE on a large scale, but it sounds like a good approach for some situations. The ISC reader pointed out that the initial release of MOICE "was flawed," so if using it, make sure you have the latest version (which came out around May 2007). He also mentioned that "MOICE uses the system TEMP/TMP folder for scratch space during file conversions, and scratch data is not automatically wiped or deleted."