Microsoft patches critical PowerPoint hole

Microsoft on Tuesday released a patch aimed to fix a critical vulnerability in PowerPoint that had already led to exploits.

The vulnerability is listed as critical for Office 2000, but rated only as important for Office XP, Office 2003, and Office 2007. However, the hole had already formed the basis of targeted attacks, prompting Microsoft to issue a warning last month.

Although Microsoft says the hole is now patched in the Windows version of PowerPoint, the software maker said it is still working on fixes for the Mac version of Office as well as for Microsoft Works, the company's entry-level productivity suite.

"The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development," Microsoft security response communications lead Christopher Budd said in a statement. "Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users."

Without the patch, the vulnerability can be exploited by getting a person to open a PowerPoint file rigged for the attack, Microsoft has said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.

The fix was released as part of the company's regularly scheduled monthly Patch Tuesday.

The software maker said that with the update, the ability to open PowerPoint 4.0 file formats will be disabled by default in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. (Microsoft has already disabled that option by default in PowerPoint 2003 Service Pack 3 and that capability does not exist in PowerPoint 2007.)

Microsoft said that the vulnerability is not rated critical for PowerPoint 2002 and later versions because they prompt a user before opening a document, meaning that the vulnerability "requires more than a single user action to complete the exploit."

Symantec said in a statement that the PowerPoint fix related largely to flaws in older file formats. "Because taking advantage of these vulnerabilities requires a user to open a maliciously crafted PowerPoint file, e-mail is likely the most probable method attackers would use to try and exploit these," said Alfred Huger, vice president of Symantec Security Response, in a statement. "Another possibility is for an attacker to lure a victim into downloading the file from a misleading or compromised Web site. At that point, the attacker would then have complete control over everything the user's account has permission to do on the system."

One security analyst warned that corporate IT staff should be paying attention not just to Microsoft, but also to a variety of security updates being issued by other software makers.

"Although Microsoft only dropped one patch for PowerPoint this month, IT administrators shouldn't get the wrong impression and breathe easy given the light load," said Lumension security analyst Paul Henry. "In addition to Microsoft, other vendors including Google, F-Secure, Adobe, HP, Symantec and Mozilla (to name a few) released a slew of patches for popular software applications."

Henry posted a list of the other updates and blogged on the subject.

"It is important to remember that historically, popular applications and files like Adobe PDF files or Word, Excel or PowerPoint files have been great vehicles for targeted attacks because those attachments are so socially acceptable and are simply expected attachments within corporate email," Henry said. "While we are relieved about the PowerPoint patch, we live in an environment where compromised applications have now become a delivery mechanism for additional downloaded and executed malware such as key-loggers and rootkits. The most effective risk mitigation, therefore, continues to be application control to prevent a compromised application from downloading and running any unauthorized software (including malware) on a user's PC."