PowerPoint 0day Exploit (9-27-06)

[Caine]

http://www.nist.org/news.php?extend.173

Quote:

McAfee is warning that a new 0day PowerPoint exploit has been seen in the wild. Currently being used in targeted attacks. Remote code execution possible. Microsoft may have quietly added protection for it to their own antivirus program without alerting the security community.

Hopefully the antivirus programs will have signatures for this soon so unless you are the "target" in the "targeted attacks" you should be ok. The only way to suffer the exploit is to launch the file. So if you receive a PowerPoint 'ppt' file you are not expecting you should not open it. Office 2000, Office XP, and Office 2003 are affected and reports are indicating that the Mac versions are also vulnerable

Is this covered by NOD32?

[pykko]

Yes, it is now Caine!
See here
Definition is highlighted: W97M/TrojanDropper.Lafool.F

[pykko]

hmm...it seems they've added it actually today.

I think this are the right definitions: PP97M/TrojanDropper.PPDrop.F, PP97M/TrojanDropper.PPDrop.NAA (2), PP97M/TrojanDropper.PPDrop.NAB

[Caine]

Nice one! Thanks for that pykko.

Is this sort of behaviour common with Microsoft? Pretty sneaky carry-on altogether.

[pykko]

Well, generally there are many exploits on MS products because many use them and hackers try to exploit evry little bug from them.

[Caine]

True that, but still though it's not so much the volume of exploits that MS inevitably have to battle with. It's the way they fixed up their own Security software defs and said nothing to the others. That's the bit that bugs me. Aw well, worrying over nothing since it's not an issue now.

[pykko]

Quote:

Originally Posted by Caine

It's the way they fixed up their own Security software defs and said nothing to the others.

Well, yes, basically if a new dangerous threat appear AV companies should be willing to exchange defs.