Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - PowerPoint zero-day vulnerability (969136) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PowerPoint zero-day vulnerability (969136)

Published: 2009-04-03
Last Updated: 2009-04-03 21:03:28 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

Several ISC readers shared with us a link to Microsoft's advisory 969136, which describes a zero-day vulnerability in PowerPoint.

You can also find the description of the exploit observed in the wild on the Microsoft Malware Protection Center blog, and additional technical details on the Microsoft Security Research & Defense blog. Kudos to Microsoft for being so transparent about the incidents! (Thanks for the links, Juha-Matti.) 

The CVE placeholder for this vulnerability is CVE-2009-0556 (not live as of this writing).

If you have observed the exploit in the wild and can share the details with us, please let us know.

Update 1: Sergio de los Santos shared with us the SHA-1 hashes VirusTotal received of the known malicious PPT files that exploit this vulnerability: 

e50c6512d307d41f61e1150128add91b416fe330
cc2b9284b9396f36b61aca17b06a420ed56a30ee
b08d1ca322e8de04bb920a227ad34c3b93e56e1a
f9b5b020d96540695d76c9a43ca9daa35b54cb28

Update2: An ISC reader highlighted the effectiveness of the latest version of the Microsoft Office Isolated Conversion Environment (MOICE) to converting "legacy" binary formats of Office documents to XML-based formats. XML versions of Office documents are less likely to carry exploits. Microsoft recommends using MOICE prior to opening Office documents that arrive in binary formats from unfamiliar parties. I'm skeptical about the practicality of rolling out and supporting MOICE on a large scale, but it sounds like a good approach for some situations. The ISC reader pointed out that the initial release of MOICE "was flawed," so if using it, make sure you have the latest version (which came out around May 2007). He also mentioned that "MOICE uses the system TEMP/TMP folder for scratch space during file conversions, and scratch data is not automatically wiped or deleted." 

-- Lenny
 
Lenny Zeltser - Security Consulting
 
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.

 

Keywords:
0 comment(s)
Diary Archives