Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

"No, Chicken Little. That's not a new PowerPoint zero-day."

Created: 22 Aug 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:57:40 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

Over the last few days there's been a lotof buzz about whether or not there is a new zero-day vulnerability inthe Microsoft PowerPoint application being exploited. Some peoplethought that the exploit was a spin-off from the recently announcedPowerPoint vulnerability in MS06-048 (in August). However, whatSymantec Security Response has determined is that the exploit is infact based on Microsoft Office vulnerabilities disclosed in MS06-012,which was announced back in March of this year.

Uponanalysis of samples related to this particular exploit in question, wediscovered that it is related to Trojan.PPDropper, which we've haddetection for since August 17, 2006. This file then drops a downloaderthat will download Keylogger.Trojan from two separate addresses (we'vehad detection for the downloader and Keylogger.Trojan since August 12,2006).

Symantec has also determined that the exploit occurs just as youclose a PowerPoint document, which is typical of MS06-012 exploits andonly affects unpatched PowerPoint XP, including SP3. Successfulexecution of this particular exploit will crash PowerPoint on thecompromised system, but it won't allow for code execution. Patchedsystems are not affected.

So, to cut a long story short:
1) Be sure to install the latest security updates. Symantec hasprotection against all malicious code related to this particularvulnerability exploit, from as early as August 12, 2006.
2) Install the MS06-012 patch. This is not a zero-day vulnerability, just a blast from the recent past.