New PowerPoint Zero-day Found: Coincidence or Strategy?
Just a day after Microsoft released theirJuly security bulletins, a new PowerPoint zero-day vulnerability wasdiscovered as part of a targeted and limited attack. It was Tuesday,July 12th, and it was Microsoft’s "patch day". On July 11th, Microsofthad released seven new security bulletins aspart of the standard security life cycle. The following bulletins arerated as “critical” and affect the Microsoft Office suite, which isquickly becoming the next most popular platform exploited by attackers:
• MS06-037 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
• MS06-038 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
• MS06-039 - Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)
Inaddition, the MS06-037 patch was long awaited because it fixes severalExcel vulnerabilities exploited in the wild or disclosed on publicmailing lists during the previous weeks. But, just a day after thebulletin release, a new PowerPoint zero-day was reported as beingdiscovered as part of a targeted and limited attack. The maliciousPowerPoint file is detected as Trojan.PPDropper.Band may arrive by email as part of the attack. The vulnerabilityresides within the shared component MSO.DLL and affects all currentlysupported versions of PowerPoint.
I'd like to think that it was only a twist of fate, but I doubt thatthe release of this new Office exploit is a simple coincidence. It isprobably a chosen strategy or part of an attack plan. Consider this: ifsomeone finds a new vulnerability and wants to maximize the exposurewindow of the exploit, what is the perfect day to launch the attack?