14 DAY TRIAL // Trend Micro has reported the discovery of new zero-day PowerPoint exploit. The company has issued a public report warning of the TROJ_MDROPPER.BH Trojan horse that takes advantage of a previously unknown PowerPoint vulnerability. A successful exploit translates in the complete compromising of a machine allowing for remote arbitrary code execution.
"This Trojan is Trend Micro's detection for a specially crafted .PPT file that arrives on a system either downloaded from the Internet or dropped by other malware. This Trojan is designed to exploit the Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability. It has similarities with other malware that exploit the said vulnerability. However, this Trojan's shell code does not manifest the said behavior," reported Trend Micro.
Microsoft's Juha-Matti has addressed the issue on the SecuriTeam Blog and has confirmed the vulnerability. "The first malware description was published on Saturday 19th August. There is information about samples received by the same AV vendor on 17th August already. UPDATE: As of 21th Aug 20:00 UTC there is no any confirmation from Microsoft available. This is new, unpatched vulnerability. Vulnerabilities fixed in MS06-048 are different issues. However, it is possible that this vulnerability is related to some issues fixes in MS06-048," Juha-Matti wrote.
As yet, it appears that the affected versions comprise: Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems. However, Juha-Matti denied that proof-of-concept sample files and exploit code are publicly available.