Microsoft Security Advisory (969136)

[ronjor]

Quote:

Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution

Published: April 2, 2009

Version: 1.0

Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers.

Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Microsoft

[ronjor]

New 0-day Exploits Using PowerPoint Files

Quote:

We are also releasing today a generic signature to protect our customers against these exploits. Its name is Exploit:Win32/Apptom.gen. Basically, access to such exploit files is blocked if a Windows Live OneCare user or a Forefront Client Security user tries to open them.

The malicious PPT files try to drop malware once opened. Here is a screenshot with the process activity after a malicious document has been executed:

Microsoft Malware Protection Center