New Targeted PowerPoint Attacks

PowerPointMicrosoft has issued a Security Advisory about a remote code execution flaw in most versions of Windows:

“Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file… An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

These are targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.  The Advisory goes on to say, “In a web-based attack scenario, an attacker would have to host a website that contains the special crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites could contain specially crafted content that could exploit this vulnerability. …an attacker would have to persuade the target user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.”

The second way this attack works is through email.  An infected PowerPoint file could be emailed to a user where social engineering tactics would be used to get them to open it, thereby allowing the attack to be executed.  A practical example of this would be the attacker using LinkedIn to find someone in accounts payable at your company, then emailing them a document entitled “Invoice 673824”.  That’s social engineering at it’s simplest, sending an infected file to someone who would be expecting invoices to be emailed to them.

To date Microsoft has only seen this attack using PowerPoint although based on the vulnerability other Microsoft Office file types can also be used.

One option, in a business network environment, is for most employees to not have admin rights.  This is desirable for a number of reasons, but in this case users without admin rights are not a desirable target, as the attacker using this exploit only gains the same rights as the current user.  So while your accounts payable clerks receive all kinds of emailed documents, if they don’t have admin rights they are less likely to be the source of an exploit.


Leave a Reply

Your email address will not be published.

Back to top