The Microsoft Security Response Center has released Advisory 969136 today about a vulnerability in Microsoft Office PowerPoint which is being exploited in the wild. Office 2000, Office XP, Office 2003 and Mac Office are vulnerable however the latest version, Office 2007, is not. The Microsoft SRD blog provides more details about the how to protect your environment from the vulnerability.

So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in targeted attacks and therefore the number of affected customers is very low. Here’s a diagram that demonstrates how such an attack happens:

clip_image001

Usually, these files look legit when opened so it is quite easy to fall prey and not even notice that something malicious ran in the background. Here are two examples for the first slide in such slideshows:

clip_image002clip_image003

We are also releasing today a generic signature to protect our customers against these exploits. Its name is Exploit:Win32/Apptom.gen. Basically, access to such exploit files is blocked if a Windows Live OneCare user or a Forefront Client Security user tries to open them. This new signature is included in definition update version 1.55.975.0 or higher.

The malicious PPT files try to drop malware once opened. Here is a screenshot with the process activity after a malicious document has been executed:

clip_image004

We’ve added detection to these binaries as:

Fssm32.exe : TrojanDropper:Win32/Apptom.A
Setup.exe:  TrojanDropper:Win32/Apptom.B
IEUpd.exe:  Trojan:Win32/Cryptrun.A

The exploit files have been recently submitted to the popular VirusTotal scan site. Either the miscreants who created these exploits were looking to see how antivirus products detect their new files, or the victims were looking to get some information about their maliciousness. For our fellow researchers in other security companies, here are several SHA1 hashes of these exploits:

MD5 Hash SHA1 Hash
8fa472db5f85ce73d589b22979efff8f e50c6512d307d41f61e1150128add91b416fe330
ea1fb578a65098f1813cbf0d5f1fa97a cc2b9284b9396f36b61aca17b06a420ed56a30ee
301d3e6dff463163c15e9a612048a001 b08d1ca322e8de04bb920a227ad34c3b93e56e1a
5de89ec7545b90d42c417501a810e948 f9b5b020d96540695d76c9a43ca9daa35b54cb28

As usual, be cautious when you open attachments from untrusted sources and make sure your antivirus software is up to date. Microsoft will release a security update for this issue and once that happens, get it quickly installed.

We’d like to thank Patrick Nolan for his help with creating this blog post.

--Cristian Craioveanu & Ziv Mador