Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: 0-day exploit for Microsoft PowerPoint - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
0-day exploit for Microsoft PowerPoint
Our readers Juha-Matti and Gennaro informed us about a new, undocumented vulnerability in Microsoft PowerPoint. It looks like the same group of Chinese hackers decided to take Office applications for a good test. And the fact that they are releasing their stuff immediately after Microsoft released the patches certainly doesn't help.

Symantec has a write-up of this; it doesn't look like it's wide spread at all at the moment.

UPDATE 07/14/2006

Microsoft is working on this issue and they've posted some information on their blog.
Most of the major AV vendors received samples of the infected PPT file and added detection for it so far. However, this doesn?t mean that you can completely relax now ? while we don?t know what part of the infected PPT file they use for detection, it is quite possible that new exploits for this same vulnerability (once and if they are released) will not be detected properly (we?ve seen this before with other vulnerabilities in Microsoft Office product, Excel for example).

At this moment we are not sure exactly which versions of Microsoft PowerPoint are affected by this vulnerability. It looks like all versions 2000 through to 2003 are vulnerable.
We also can?t confirm whether the PowerPoint Viewer utility is or isn?t affected.

There is a CVE entry for this vulnerability,

Juha-Matti created a nice FAQ about this vulnerability (similarly to his previous Excel vulnerability FAQ). You can find it at

It is worth reminding you that, as with previous vulnerabilities in Microsoft Office applications, there are not many options you have in protecting your networks. If you can, apply strict filtering of PPT files (maybe at least quarantine them, so they can be scanned and reviewed later). Users should be extra careful when opening PowerPoint files until Microsoft releases a patch (or some workaround is available).
While we can?t confirm that this would stop the exploit from executing, it is a good idea to turn on memory-based security mechanisms (Data Execution Prevention).

If you went to Symantec?s web site with the description of the Trojan being dropped, you probably saw the screen shot of the PowerPoint slide which is displayed once the file is opened in PowerPoint. One of our readers, Vince, sent us the translation of this:

?What is love? Sending her 999 roses knowing she doesn't love him.
What is waste? Sending her 999 roses know she loves him.?

Interesting, isn?t it? If this was displayed with all infected documents, it makes us wonder who was targeted with this. It is quite possible that that the original exploit was written by some other author who then maybe sold it to bad guys ? this sounds to me like a typical ?I?m in love, here?s my worm/virus/exploit dedicated to her? thing; we?ve seen such worms/viruses many times before.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Pen Test Hackfest Europe 2022 - Berlin


403 Posts
ISC Handler
Jul 14th 2006

Sign Up for Free or Log In to start participating in the conversation!