Vulnerability

The zero-day exploit takes advantage of a previous unknown vulnerability in PowerPoint to install a Trojan Horse application.  The vulnerability affects PowerPoint 2000, 2002, and 2003 running on various flavors of Microsoft Windows; it is unclear at this time whether Macintosh versions of Office are affected.  Based on what is known of exploit, it seems unlikely that Macs could be affected by the exploit, but that is not to say that the vulnerability doesn’t exist in the Mac versions of Office.  (Keep in mind that a vulnerability isn’t the same as an exploit.)

More information is available at the following links:

• http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
• http://www.microsoft.com/technet/security/advisory/922970.mspx
• http://www.securityfocus.com/bid/18957
• http://securityresponse.symantec.com/avcenter/venc/data/trojan.ppdropper.b.html
• http://secunia.com/advisories/21040/
• http://isc.sans.org/diary.php?storyid=1484
• http://securitytracker.com/alerts/2006/Jul/1016496.html
• http://blogs.securiteam.com/?p=508
• http://www.kb.cert.org/vuls/id/936945

Simple filtering for PowerPoint files at the perimeter based on file extension is insufficient; Windows will open files in PowerPoint if they have a correct PowerPoint file header but an incorrect extension.  If your anti-virus vendor has released updates to check for infected/affected PowerPoint documents, be sure to install that update and vigorously check all incoming PowerPoint documents.

Now that Word, Excel, and PowerPoint have all had their zero-day exploits, which Office application is next?

Security researchers recently uncovered a zero-day vulnerability in Microsoft Word that allows attackers to install a backdoor Trojan horse on the affected computers.

More information on this vulnerability can be obtained from the following links:

Alert Raised for MS Word Zero-Day Attack
<http://www.eweek.com/article2/0,1759,1965042,00.asp>

Microsoft Word Malformed Object Code Execution Vulnerability
<http://secunia.com/advisories/20153/>

Microsoft Security Advisory (919637): Vulnerability in Word Could Allow Remote Code Execution
<http://www.microsoft.com/technet/security/advisory/919637.mspx>

SecuriTeam Blogs: Mitigating Newly-Reported Word Vulnerability
<http://blogs.securiteam.com/index.php/archives/421>

As described in the above articles, there are a number of ways to protect yourself against this vulnerability:

• Don’t log in with administrative privileges.  The exploit fails to work if the user doesn’t have administrative privileges.
• Use an older version of Microsoft Office.  The vulnerability only affects Word 2002/XP and Word 2003.  Users of Word 2000 and earlier are apparently not affected.
• Use the Word Viewer to view documents, as the Viewer is not affected by this vulnerability.

Anti-virus vendors are updating their signatures to try to catch this, but I wouldn’t rely solely upon anti-virus to protect against this vulnerability.  A patch has not yet been released from Microsoft, which anticipates releasing a patch for this issue in June.

And here I thought things would settle down a bit now that Microsoft has released MS06-001, the patch for the previous exploitable WMF flaw.  Now, just days after the release of that out-of-band security patch, more WMF flaws have been uncovered.

This article describes some new WMF flaws recently uncovered and announced on the BugTraq mailing list.  (See this article for more information as well.)  Apparently, Symantec issued a warning via its Deepsight Management System, but I was unable to find an available online copy of that advisory.

Perhaps the most disturbing thing to me is the fact that Microsoft already knew about these newly disclosed problems.  In a Microsoft Security Response Center (MSRC) blog posting, Lennart Wistrand (a lead security program manager for the MSRC) indicated that these problems had already been identified by Microsoft during code review, but were not going to be addressed as part of the MS06-001 security patch because “These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity.”

OK, so we know that we have a flaw in our software.  We know that other flaws in the same portion of software have already proven to be remotely exploitable and can result in remote code execution.  (Keep in mind that Microsoft also released a WMF patch last year as MS05-053.)  It is certainly possible that these flaws could result in remote code execution, although at this time all that we’ve seen are denial of service and application crashes.  Yet, we decide that we are not going to fix the flaw until the next Service Pack, whenever that might be?  That’s just crazy, in my opinion.

Fortunately for end users, remote code execution is not a possibility (yet) with this flaw, and it does not appear to be as exploitable as the flaws patched with MS06-001.  If you haven’t already, go ahead and patch systems with the MS06-001 fix, and then stay tuned for further developments with these newly disclosed vulnerabilities.  That’s about the best anyone can do under the circumstances.

There’s a lot of chatter on the Internet today about the MS06-001 patch from Microsoft, designed to address the “zero-day” WMF flaw for which numerous exploits were circulating.  Here’s a brief look at some of the links.

Microsoft Ships ‘Emergency’ WMF Patch

MS Rushes Patch as WMF Exploit Tools Surface:  Of particular interest in this article is the WMFMaker exploit tool, a simple and straightforward tool that allows novice hackers to add malicious code to a WMF image.

Update: Microsoft releases WMF patch

WMF FAQ: What you need to know

Lest you think that malicious web sites were the only attack vector, read “Attempts to exploit WMF vulnerability by IM multiply,” which indicates that more than 70 variants of IM-based attacks have been identified.

One very interesting statement from one of the articles linked above was a note about the lifetime of this flaw and its related exploits.  Just as even now we are still dealing with years-old virii and worms circulating the Internet, we can be sure that malicious WMF files will be around, exploiting older versions of Windows for which Microsoft did not release a patch because they are “end of life” (like pre-SP4 Windows 2000, for example).