Unpatched Powerpoint Flaw Exploited
Online criminals are taking advantage of an unpatched security hole in Microsoft's Office products again. Security experts say they've spotted a flaw in the Powerpoint slide-presentation program being exploited in the wild.
This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack.
Andreas Marx of AV-Test.org notes that hackers appear to be surfacing with new exploits just days after Microsoft's monthly Patch Tuesday cycle has passed, possibly to have more time to exploit vulnerable systems before Redmond issues its next round of updates. Marx said he "just got involved in an industry espionage case where this particular unpatched flaw was used to steal a lot of data." Marx said the loss to corporations from such attacks is immeasurable if competitors gain access to confidential documents or proprietary information.
No word yet from Microsoft about this Powerpoint problem, but I will update this blog with more information should Redmond issue an advisory. As usual, be extremely judicious about downloading and opening attachments that arrive via e-mail. And if all of this Office craziness has you spooked, you might consider switching over to OpenOffice, an open-source and free alternative. It looks and feels a lot like MS Office, and can do pretty much everything Microsoft's products can. If you're interested and would like a primer on OpenOffice, check out this writeup.
Update, July 17, 10:20 p.m. ET: Microsoft this evening issued an advisory on this vulnerability, which it said affects PowerPoint 2000, 2002, and 2003, and that it hoped to have a patch released for it by Aug. 8 or sooner. Microsoft says the flaw is not present in its PowerPoint Viewer 2003 application, which is free. I should note, however, that Microsoft made a similar claim about a Word vulnerability that it first detailed in a remarkably similar advisory in May. At the time, Redmond said its Word Viewer application wasn't vulnerable to the attack, but when it finally released June's batch of patches, it came out that the viewer was in fact also exploitable.
Posted by: M Henri Day | July 14, 2006 1:06 PM | Report abuse
Posted by: Bk | July 14, 2006 1:31 PM | Report abuse
Posted by: Rich Gibbs | July 14, 2006 6:08 PM | Report abuse
Posted by: Jonathan Crow | July 15, 2006 3:12 AM | Report abuse
Posted by: James | July 15, 2006 11:33 AM | Report abuse
Posted by: Frank Earl | July 16, 2006 11:44 AM | Report abuse
Posted by: OctÃ¡vio | July 16, 2006 9:52 PM | Report abuse
Posted by: Mark | July 17, 2006 4:37 AM | Report abuse
Posted by: Mark | July 17, 2006 4:39 AM | Report abuse
Posted by: Pete from Arlington | July 18, 2006 10:56 AM | Report abuse
The comments to this entry are closed.