Barely a day after Microsoft patched the Vector Markup Language (VML) flaw in Internet Explorer, the company was forced to acknowledge a new zero-day attack against PowerPoint. Meanwhile, exploit code has been released for another Internet Explorer flaw.
"Microsoft is investigating new public reports of limited 'zero-day' attacks using a vulnerability in PowerPoint 2000, PowerPoint 2002, Office PowerPoint 2003, PowerPoint 2004 for Mac, and PowerPoint 2004 [version] X for Mac," Microsoft said in an advisory.
But for the attack to succeed, Microsoft noted, "a user must first open a malicious PowerPoint file attached to an email or otherwise provided to them by an attacker."
Microsoft said it will take steps to address the threat once it concludes the investigation. "This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the company said.
The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is in how malformed PowerPoint documents are handled. Attackers could exploit the flaw to run arbitrary commands on a targeted machine by tricking a user into opening a specially crafted document.
Two pieces of malware are actively exploiting the security hole: Trojan.Controlppt-W and Trojan.Controlppt-X, also known as PPDropper-F and Exploit-PPT-d.
Until a patch is released, Microsoft recommends users mitigate the threat by:
- Using PowerPoint Viewer 2003 to open and view files. PowerPoint Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack.
- Not opening or saving PowerPoint files received from untrusted sources, since the flaw could be exploited when a user opens a specially crafted PowerPoint file.
Meanwhile, Metasploit Framework creator H.D. Moore has discovered a flaw in Internet Explorer that attackers could exploit via malicious Web sites. Attackers could corrupt computer memory when the user visits one of these sites.
Danish vulnerability clearinghouse Secunia confirmed the flaw on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2 and noted that exploit code is publicly available.
"The vulnerability is caused due to an integer overflow error in the 'setSlice()' method in the 'WebViewFolderIcon' ActiveX control," Secunia said in an advisory. "This can be exploited to corrupt memory when visiting a malicious Web site."
Secunia said only trusted Web sites should be allowed to run ActiveX controls.