PowerPoint Zero Day Vulnerability In-the-Wild

Microsoft has released Security Advisory 969136 warning of a newly discovered zero day PowerPoint vulnerability. The flaw impacts PowerPoint versions found in Windows versions of Office 2000, 2002, 2003, and Office 2004 for Mac. Successful exploit allows for the execution or arbitrary code which is granted the same permissons available to the logged in user. By default, on most versions of Windows, the user is logged in as Administrator, thus giving malicious code full rights to the system.

According to security researchers at Trend Micro, currently observed variants are being sent via email and the PowerPoint slides may masquerade as 'Celebrities Without Makeup' or 'Turn Off Your Power for 1 Hour'.

When the malicious PPT is opened, the file 'fssm32.exe' is dropped and run, which in turn creates %temp%\setup.exe.

A second variant of the PPT exploit drops 'temp.exe' and runs it, which then creates 'suhost.exe' in the system temp folder.

The newly created file in the temp folder (either setup.exe or suhost.exe) is then run, resulting in the following files dropped to the infected computer:

%ProgramFiles%\Internet Explorer\IEUpd.exe
%ProgramFiles%\Internet Explorer\iexplore.hlp

To confirm Internet access, the trojan attempts to connect to www.download.microsoft.com. The trojan is also coded to send system information to remote attackers, including parsing directory structures and sending lists of the contents. Other capabilities of the trojan includes the ability to download additional malware to impacted systems.

Detection:
Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.AB. The files dropped are detected as TROJ_KUPS.F and BKDR_KUPS.F.

Antivirus vendor Symantec detects the malicious PowerPoint file as Trojan.PPDropper.H. Detection for the dropped files was not listed on the Symantec site when this article was written.

Microsoft detects the malicious PPT as Exploit:Win32/Apptom.gen. The dropped files are detected by Microsoft as TrojanDropper:Win32/Apptom.A, TrojanDropper:Win32/Apptom.B, TrojanDropper:Win32/Apptom.C, and Trojan:Win32/Cryptrun.A.

Prevention:
A patch to guard against the exploit of this vulnerability is not available (at the time of this article). However, Microsoft provides several workarounds to prevent the exploit. These workarounds are described in Microsoft Security Advisory 969136. In addition to applying these workarounds, exercise caution when opening PPT files received via email or encountered on a website.