Just 3 days after Patch Tuesday, Microsoft confirms a new vulnerability in PowerPoint that will could cause complete system compromise. To be clear, this is different than the MS06-028 PowerPoint vulnerability announced on Tuesday. There is no patch available at this time. A specially crafted PowerPoint file (.ppt) causes unknown error in the PowerPoint application. This error may be causing a buffer overflow that allows an attacker to execute code of their choice on the users computer. Reported exploits in the wild leave Trojan.PPDropper.B followed by Backdoor.Bifrose.E. Here is a the image you will see if you open an infected PowerPoint file.
As you can see the exploit displays Chinese writing which seems to be a clue to it’s origin. There are several similarities between how this exploit was released and how a 0-Day for Microsoft Word was released in June. Many speculate that the same person(s) are behind both.
Fortunately Symantec (and probably others) have virus definitions for this Trojan. The problem is it could and probably will be a different Trojan next time. Secunia is calling this one Extremely Critical in their write-up. I agree and here are some factors that make this one very bad news.
1. The number of vulnerable systems is very large.
This looks to affect all versions of Microsoft PowerPoint. Microsoft sells somewhere around $10 Billion worth of Office products per year. Folks, that is a lot of applications.
2. Relatively few, if any vulnerabilities with PowerPoint files before.
I did a quick search to see if PowerPoint files have been the entry point for vulnerabilities before and did not see any. This means in general people “trust” that opening a PPT file will not cause them problems.
3. PowerPoint files are almost ubiquitous in the enterprise.
With this being the case IT and Security managers may have to do a lot of tap dancing if they try to block PPT files at the gateway, mail server, etc. I know of one case today where the CEO had to step in and publicly support the blocking of PPT files until a resolution is available.
All these coupled with the usual problems like outdated AV definitions, users running as local admin, no egress filtering on the gateway…..make this a sticky situation.
Should you want to block PPT files and you have Snort (or a Snort-like IPS), here are some Snort signatures that will help. The first one will detect inbound PowerPoint files in an email. The second two will detect PowerPoint files on any TCP port. A big thanks to Steve Reynolds ( sreynolds @ nitrosecurity . com ) from NitroSecurity for providing the signatures. These are not official NitroSecurity signatures, they are ones he wrote.
Although commercial IPS vendors may have signatures to detect the exploit, I have not seen any free Snort signatures that do. I suspect that Bleeding Snort will post them if some become available.
Remember to have your $SMTP_SERVERS variable set correctly and change alert to drop if you want to block them.
****NOTE**** These signatures block ALL PowerPoint attachments. You have been warned.
alert TCP $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”PowerPoint attachment detected in SMTP’”; content:”Content-Disposition|3a|”; content:”filename=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )
alert TCP $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”PowerPoint attachment detected in SMTP’”; content:”Content-Type|3a|”; content:”name=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )
alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:”PowerPoint attachment detected’”; content:”Content-Disposition|3a|”; content:”filename=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; ) alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:”PowerPoint attachment detected’”; content:”Content-Type|3a|”; content:”name=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )–Chris
Technorati Tags: PowerPoint, Vulnerability, Snort, Exploit
UPDATEÂ
Microsoft has released an advisory on this vulnerability here
Leave a Reply