"No, Chicken Little. That's not a new PowerPoint zero-day."
Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.
Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).
Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06-012 exploits andonly affects unpatched PowerPoint XP, including SP3. Successfulexecution of this particular exploit will crash PowerPoint on thecompromised system, but it won't allow for code execution. Patchedsystems are not affected.
So, to cut a long story short:
1) Be sure to install the latest security updates. Symantec hasprotection against all malicious code related to this particularvulnerability exploit, from as early as August 12, 2006.
2) Install the MS06-012 patch. This is not a zero-day vulnerability, just a blast from the recent past.