The Microsoft Security Response Center has released Advisory 969136 today about a vulnerability in Microsoft Office PowerPoint which is being exploited in the wild. Office 2000, Office XP, Office 2003 and Mac Office are vulnerable however the latest version, Office 2007, is not. The Microsoft SRD blog provides more details about the how to protect your environment from the vulnerability.
So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in targeted attacks and therefore the number of affected customers is very low. Here’s a diagram that demonstrates how such an attack happens:
Usually, these files look legit when opened so it is quite easy to fall prey and not even notice that something malicious ran in the background. Here are two examples for the first slide in such slideshows:
We are also releasing today a generic signature to protect our customers against these exploits. Its name is Exploit:Win32/Apptom.gen. Basically, access to such exploit files is blocked if a Windows Live OneCare user or a Forefront Client Security user tries to open them.
The malicious PPT files try to drop malware once opened. Here is a screenshot with the process activity after a malicious document has been executed:
We’ve added detection to these binaries as:
Fssm32.exe : TrojanDropper:Win32/Apptom.A Setup.exe: TrojanDropper:Win32/Apptom.B IEUpd.exe: Trojan:Win32/Cryptrun.A
The exploit files have been recently submitted to the popular VirusTotal scan site. Either the miscreants who created these exploits were looking to see how antivirus products detect their new files, or the victims were looking to get some information about their maliciousness. For our fellow researchers in other security companies, here are several SHA1 hashes of these exploits:
MD5 Hash 8fa472db5f85ce73d589b22979efff8f
ea1fb578a65098f1813cbf0d5f1fa97a
301d3e6dff463163c15e9a612048a001
5de89ec7545b90d42c417501a810e948
SHA1 Hash
e50c6512d307d41f61e1150128add91b416fe330cc2b9284b9396f36b61aca17b06a420ed56a30ee b08d1ca322e8de04bb920a227ad34c3b93e56e1af9b5b020d96540695d76c9a43ca9daa35b54cb28
As usual, be cautious when you open attachments from untrusted sources and make sure your antivirus software is up to date. Microsoft will release a security update for this issue and once that happens, get it quickly installed.
Juan Pablo Castro | Sales Engineer, Mexico BU, LAR
Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico
Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437