Severity: High
3 April, 2009
Summary:
- This vulnerability affects: All current versions of Microsoft PowerPoint for Windows and Mac computers (also affects PowerPoint Viewer and Office Compatibility Packs)
- How an attacker exploits it: By enticing your users into opening a maliciously crafted PowerPoint presentation
- Impact: An attacker can execute code on your computer, potentially gaining control of it
- What to do: Implement the workarounds described in the Solution Path section of this alert
Severity: High
3 April, 2009
Summary:
- This vulnerability affects: All current versions of Microsoft PowerPoint for Windows and Mac computers (also affects PowerPoint Viewer and Office Compatibility Packs)
- How an attacker exploits it: By enticing your users into opening a maliciously crafted PowerPoint presentation
- Impact: An attacker can execute code on your computer, potentially gaining control of it
- What to do: Implement the workarounds described in the Solution Path section of this alert
Yesterday, Microsoft released a security advisory warning of a very critical unpatched PowerPoint vulnerability, which attackers have already begun exploiting on the Internet. The vulnerability affects all current versions of PowerPoint for Windows and Mac, as well as the Microsoft PowerPoint Viewer and the Office Compatibility Packs.
Since Microsoft just learned about this flaw, they don’t describe it in much technical detail. They only say that the flaw involves PowerPoint accessing an invalid object in memory. However, the advisory does tell how attackers can leverage the flaw. By enticing one of your users into downloading and opening a maliciously crafted PowerPoint document (.ppt), an attacker can exploit this vulnerability to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.
With attackers actively exploiting this vulnerability in the wild, it poses a significant threat to Microsoft Office and PowerPoint users. Microsoft hasn’t had time to patch the flaw yet, but they plan to in the near future. Until then, we recommend you implement the workarounds described below to mitigate the risk of this dangerous zero day attack.
Solution Path
Microsoft has not had time to release a patch for this zero day vulnerability. However, the workarounds described below should mitigate the risk of attacks currently circulating in the wild.
- Inform your users of this vulnerability. Advise them to remain wary of unsolicited PowerPoint (.ppt) documents arriving via email. If they don’t absolutely need the document, and don’t trust the entity it came from, they should avoid opening it until Microsoft releases a patch.
- Use up-to-date antivirus (AV) software. AV companies are sure to release signatures that detect these malicious PowerPoint files. Make sure to update your AV regularly.
- Use the Microsoft Office Isolated Conversion Environment (MOICE) to open an untrusted PowerPoint document. MOICE is a Microsoft add on that provides a special environment which allows you to more securely open Word, Excel, and PowerPoint binary format files. For more details on using it, see the “Suggested Actions” section of Microsoft’s security advisory.
- Use a gateway device, like your Firebox, to block PowerPoint files. If your users can’t download PowerPoint files, this exploit won’t affect them. Unfortunately, doing this blocks legitimate PowerPoint files as well. Nonetheless, depending on your business needs, you may still consider blocking PowerPoint files until Microsoft releases a patch.
For All WatchGuard Users:
Many of WatchGuard’s Firebox models can block incoming PowerPoint files. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if PowerPoint files are not absolutely necessary to your business, you may consider blocking them using the Firebox’s HTTP and SMTP proxy until Microsoft releases a fix for this vulnerability.
If you decide you want to block PowerPoint documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .ppt files by their file extension: Firebox X Edge running 10.x
- How do I block files with the FTP proxy?
- How do I block files with the HTTP proxy?
- How do I block files with the POP3 proxy?
- How do I block files with the SMTP proxy
- How do I block files with the FTP proxy?
- How do I block files with the HTTP proxy?
- How do I block files with the POP3 proxy?
- How do I block files with the SMTP proxy?
Microsoft plans to release a patch for this vulnerability. Until then, implement the workarounds described above.
References:
Microsoft Security Advisory