Barely three days after
Patch Tuesday, another new 0-day vulnerability has been disclosed or released – now the target of the malicious code that exploits an undocumented vulnerability is Microsoft Powerpoint.


It can be recalled last month alone that there was also a PPT vulnerability that has already been patched using MS06-028. This was the “Microsoft PowerPoint Remote Code Execution Using a Malformed Record Vulnerability”. Three months before that, an Office vulnerability labeled as the “Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability” also affected the Powerpoint application. The said vulnerability was used by the malware Trend detected as P97M_EMBED.ACand was patched using MS06-012.


The current 0day found today also leads to code execution, and has been reported to be in the wild spreading as an attachment in emails that may be manually spammed in large numbers. The said PPT file is a dropper that may drop and execute a backdoor malware that can compromise a user’s system. Trend Micro is currently working to provide the appropriate solutions for this new threat.


In the meantime, we must advise our customers to be careful of accepting and opening unsolicited emails with attached PPT files – especially ones that have Chinese characters in the filename used.


More updates to follow…

Update (Ivan, Fri, 14 Jul 2006 03:10:22 PM)

More information from SecurityFocus can be found below:


Affected:

Microsoft PowerPoint 2003 SP2

+ Microsoft Office 2003 SP2

Microsoft PowerPoint 2003 SP1

+ Microsoft Office 2003 SP1

Microsoft PowerPoint 2003 0

+ Microsoft Office 2003


*** Other versions may also be vulnerable.

Update (Ivan, Fri, 14 Jul 2006 09:58:44 PM)

The detection name Trend has for the trojanized Powerpoint file that exploited the 0-day vulnerability is TROJ_MDROPPER.AS. Trend’s pattern file has been updated with this detection to protect our customers since July 11, 2006 at around 8:58PM using
Control Pattern 3.564.01 and above.