Hackers exploit Windows zero-day flaw in targeted PowerPoint attacks

Graham Cluley

Be on your guard. Another zero-day vulnerability has been uncovered that affects almost all supported versions of Windows, and it is being actively exploited by hackers in targeted attacks.

Microsoft has issued a security advisory about a critical remote code execution flaw in all versions of Windows apart from Windows Server 2003.

That would be bad enough. But what makes things worse is that malicious hackers are aware of the as-yet-unpatched security hole and are actively exploiting it in what Microsoft calls “limited, targeted attacks” through Microsoft PowerPoint.

Fortunately, the attacks seen to date do require some user interaction to succeed on Windows computers running with UAC (User Access Control) enabled, as a consent prompt is displayed. Unfortunately, many users are in the habit of simply ignoring such messages, and clicking to make them go away…

There are two main ways in which an attacker could exploit the vulnerability.

Firstly, they could create a boobytrapped PowerPoint file that they email to one of your company’s users. Using social engineering tactics they could trick the user into opening the file (which contains a malicious OLE object), which would then proceed to execute on the computer – potentially installing more malware, stealing information or opening a backdoor through which hackers could access your systems.

The other potential vector for infection is web-based. An attacker could either create their own website which hosted a malicious file, or compromise a legitimate site to do the same, and then wait for users to access the website. A typical method would be to email a hyperlink which points to the malicious web content to the targeted computer user.

Of course, although Microsoft has only seen attacks involving PowerPoint files to date, it could just as easily involve any other Microsoft Office file type, as well as third-party files, capable of containing a malicious OLE object.

Microsoft has produced a temporary one-click “Fix It” tool for some versions of PowerPoint, which can prevent exploitation of the vulnerability. But it is clearly no replacement for a proper security patch.

In its list of suggested workarounds, Microsoft suggests that users do not open PowerPoint or other files from untrusted sources – although that’s clearly going to be disruptive to many people’s regular working activities.

Clearly it is also advantageous if you have less user rights on your account, rather than running with admin privileges.

According to Microsoft, the attacks currently being seen can also be blocked by deploying and properly configuring Microsoft EMET.

The clock is now ticking as to when Microsoft will have a proper fix for this flaw. Although the company hasn’t yet confirmed it will issue a security patch, there will undoubtedly be speculation that it may be forced to issue an out-of-band patch rather than wait until the next regular swathe of updates in November’s Patch Tuesday.

After all, it’s not just system administrators and IT teams who are watching the clock. You can be sure that the hackers exploiting the vulnerability are also keen to use it as much as possible, before a proper fix is released.

Make sure that your computers are being properly updated with the latest anti-virus updates, and that you have a strong regime of rolling out security patches promptly when they are available. In addition, consider how tighter application control can limit your attack surface and make it harder for attackers to pierce your defences.

This article originally appeared on the Optimal Security blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES