Microsoft PowerPoint 0-day Vulnerability FAQ [UPDATED]

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft PowerPoint. The document describes related malwares and e-mail attacks as well.

-UPDATE- This vulnerability has been fixed on 8th August with MS06-048 monthly update.


- Several updates done on 15th Jul and 17th Jul and 8th August, 2006.

NOTE: Several Riler category Trojan descriptions included
It is worth of noticing that there is a separate 0-day vulnerability reported in August too.

Q: What is Microsoft PowerPoint 0-day vulnerability?
A: This previously unknown vulnerability is caused by an unknown error when processing malformed PowerPoint documents. The detailed characteristics is not publicly known, but the component being exploited is mso.dll (a shared Office library). Vulnerability was disclosed via malware descriptions informing new Trojan exploiting undocumented vulnerability in PowerPoint. This flaw has been used in several e-mail attacks against unknown organizations. Microsoft has confirmed these “very targeted” attacks.

Q: How does the vulnerability work?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user. It is known that keylogger and backdoor features are included to malwares exploiting this vulnerability. Additionally, vulnerability is caused due to memory corruption triggered by a specially drafted string in PowerPoint file.
UPDATE: Microsoft informs in new MS06-048 that the vulnerability is caused when Powerpoint parses a malformed shape.

Q: When this vulnerability was found?
A: The first malware description was published on Wednesday 12th July. Microsoft confirmed the existence of vulnerability on 13th July and officially in MSRC Blog on 14th July. There is information about samples received by one AV vendor on 11th July already.

Q: Is this one of the critical vulnerabilities reported on 11th July with MS July Security Bulletins?
A: No. This is new, unpatched vulnerability. Vulnerabilities fixed in MS06-038 etc. are different issues.

Q: Which Windows versions are affected?
A: Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.

Q: What PowerPoint versions are affected?
A: According to Microsoft Security Advisory #922970 PowerPoint versions 2003, 2002 and 2000 are affected. Several vendors list Office 2000, Office XP (2002) and Office 2003 as affected too.
Three PoCs posted to public mailing list have been tested against PowerPoint version 2003.
UPDATE: Microsoft lists PowerPoint 2000 in Microsoft Office 2000 Service Pack 3, PowerPoint 2002 in Microsoft Office XP SP3 and PowerPoint 2003 in Office 2003 SP1/SP2 as affected.

Q: Is PowerPoint Viewer utility affected too?
A: UPDATE: No. Microsoft lists PowerPoint Viewer 2003 as immune on its Security Advisory #922970

Q: Is Microsoft Works Suite affected too?
A: At time of writing there is no official information about this yet.
UPDATE: Microsoft informs that Microsoft Works Suites 2004, 2005 and 2006 are not affected to this vulnerability.

Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no official information about this. US-CERT lists Mac versions affected too.
UPDATE: Microsoft informs that PowerPoint 2004 for Mac and PowerPoint 2004 v. X for Mac are affected too.

Q: I am using non-English version of PowerPoint 2003. Am I affected?
A: As of 17th July it is impossible to say. Exact information about affected language versions is not available yet.
UPDATE: Microsoft Security Bulletin MS06-048 includes fixes to all language versions of PowerPoint products i.e. patch is needed to localized versions too.

Q: Where are the official Microsoft documents related to this case located?
A: Documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. UPDATE: Security advisory was published at Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date.

Q: Is the exploit code of this vulnerability publicly released?
A: UPDATE: Yes. Three separate Proof-of-Concept have been posted to public, non-moderated and moderated security mailing lists on 15th July. These PoCs have been tested against PowerPoint version 2003. However, it is reported that these PoCs demonstrate new, different vulnerabilities.

Q: Does this mean that there are several, unpatched vulnerabilities in PowerPoint?
A: According to the newest information answer is yes.
PoCs introduce the following three vulnerabilities:
#1 memory corruption – CVE-2006-3656
#2 mso.dll – CVE-2006-3655
#3 powerpnt.exe CVE-2006-3660

PoC exploits mentioned reportedly affect a Denial of Service state or enable code execution, but code execution is not confirmed yet. It is worth of mentioning that exploitation in CVE-2006-3656 triggers when a PowerPoint document is closed.
UPDATE: Separate CVE names assigned to these vulnerabilities are the following:
CVE-2006-3656
CVE-2006-3655
CVE-2006-3660

Q: Is these separate malwares related to these three new disclosures yet?
A: No. This is the situation on 18th July, 2006.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.

Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknown sources. However, files from familiar sources can cause an infection too if a spoofed e-mail is being used.

Q: Are there any visual effects informing about the infection?
A: Yes. The title page (dia) shows Chinese characters when a malicious PowerPoint document is opened. Screenshot of the first page is included to Sophos document related to this vulnerability (see related item later). The background colour in PowerPoint presentation used is black and the text colour is white, in turn.

Q: Are there any changes to file system made by related Trojan malware?
A: Yes. Files rtfmsv.exe and regvrt.exe are being copied to the Windows System folder when the malicious .PPT attachment is opened.

Q: What are the Registry keys used?
A: Modifications are done under HKCU\Software\SKavx\ and HKEY_LOCAL_MACHINE\Software\SKavx.

Q: Are there any special features included to the way how this new Trojan works?
A: Yes. It can inject itself to Explorer process.

Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one Trojan and one dropper component for this malware. The following names are used:

Backdoor.Bifrose.F [Trojan]
Trojan.PPDropper.B [dropper]

BKDR_BIFROSE.DS [Trojan]
TROJ_MDROPPER.AS [dropper]

BackDoor-CEP [Trojan]
Exploit-PPT.b [exploit]

Troj/Edepol-C [Trojan]

Bifrose.UZ [Trojan]

Backdoor.Win32.Bifrose.uz [Trojan]

Backdoor:Win32/Bifrose!E029 [Trojan]

W32/Bifrose.UZ [Trojan]

The list is very coverage. There are some W32/Bifrose based names in use too.

——-
NOTE: The following names assigned on 17th July or later:

Trojan.Riler.F [Trojan]
Trojan.PPDropper.C. [dropper]

TROJ_RILER.B [Trojan]
TROJ_MDROPPER.AK [dropper]

Win32.Fantador.E [Trojan]

Win32/Fantador.E!Backdoor [Trojan]

This new category uses different techniques, e.g. Layered Service Provider (LSP), see
en.wikipedia.org/wiki/Layered_Service_Provider
and
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_RILER.B

Q: My AV vendor doesn’t list these names at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of beginning weekend, holiday season etc. The best way is to check the situation from your AV vendor.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released the following Diary entry: isc.sans.org/diary.php?storyid=1484

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: Yes. According to new MSRC Blog posting there is detection added to Windows Live Safety Center (in Beta phase) now.

Q: What is the file attachment name used in attacks mentioned?
A: Name including Chinese characters was used. The attackers can use other names in the future too, because the information about the format of the name used is publicly known.

Q: Is there information about file size used?
A: UPDATE: Yes. The size of the PowerPoint file is 220,160 bytes. Additionally, the .PPT file includes 18 slides.

Q: What is the sender address in use?
A: Reportedly gmail.com addresses are being used.

Q: Are the names of the recipients shown in message including malicious PowerPoint attachment?
A: No. Only name ‘Undisclosed-Recipient:;’ used widely in phishing e-mails etc. was used.

Q: What is the Subject line of e-mails sent in attacks mentioned?
A: Chinese characters have been used.

Q: What is the contents of the PowerPoint presentation?
A: Sophos has a short translation of two first pages located at
www.sophos.com/pressoffice/news/articles/2006/07/chinesewords.html

Q: Is any user interaction needed when opening malicious PowerPoint file?
A: No. Opening a malformed PowerPoint file triggers a vulnerability.

Q: Is it safe to open PowerPoint presentations coming from trusted, known sender during next days?
A: The answer is yes and no. If your anti-virus software is updated it will protect you. If you want protection of one hundred percent you can save presentations first and scan them with your AV software.
These days you can’t trust that the sender information included to message PowerPoint file attached is truthful. If You are not sure, You can always call to the sender if e-mail including .PPT attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Power Point files as embedded files to Microsoft Word files, or Microsoft Excel files.

Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed PowerPoint files to Web pages too.

Q: Does the filtering PowerPoint documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: What is the vulnerable component affecting this vulnerability?
A: Vulnerable components are Mso.dll and Ietag.dll in PowerPoint versions 2003 and 2002 and Mso.dll in PowerPoint version 2000. Ietag library is normally located in folder C:\Program Files\Common Files\Microsoft Shared\Smart Tag. Information about vulnerable components in Macintosh versions of Office is not publicly available.

Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Normally Microsoft security advisory includes information about the fixing timeline of unpatched vulnerabilities. The next monthly security updates are scheduled to 8th August, 2006.
UPDATE: Monthly updates mentioned availabe since 8th Aug include fix to this vulnerability.

Q: Is there CVE name available to this vulnerability?
A: Yes, CVE name CVE-2006-3590 was assigned on 14th July. Link to the CVE document is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590.

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit functionality included.

Q: Is there other payload than backdoor and keylogging functionality included to Trojan malware?
A: Yes. Reportedly this Trojan horse may attempt to disable AV (anti-virus) software. Additionally, it sends system information to the remote Web site. This can help attacker in future attacks.

Q: Is there information about the origin of related malware authors?
A: No. It is known that some of the target Web sites used in attacks mentioned are located in China, in Hong Kong and Jiangsu area. Additionally, some target sites are located in the USA.

Q: What is the TCP/IP port used in related attacks?
A: There are several, random TCP/IP ports in use.

(c) Juha-Matti Laurio, Finland (UTC +3hrs)


-UPDATE-
: MSRC Blog posting states Microsoft has activated their security response process and they have added detection to the Windows Live Safety Center.

Revision History:
1.0 14-07-2006 Initial release
1.1 14-07-2006 Added information about Registry keys used
1.2 14-07-2006 Added Trojan descriptions and information about translation of PPT file contents
1.3 14-07-2006 Added CVE name. Some minor updates.
1.4 15-07-2006 Added information about Windows Live Safety Center protection and PoCs posted to public mailing list
1.5 15-07-2006 Several updates and fixes, added new items
1.6 16-07-2006 Added new item to clarify the existence of multiple vulnerabilities, minor updates
1.7 17-07-2006 Added information about TCP/IP ports used in attacks and more technical information about Trojan. Added CVE names of three separate issues reported by ‘naveed’. Added new item about affected language versions, minor updates and fixes
1.8 18-07-2006 Added information from published Microsoft Security Advisory, added new type of Trojans and droppers. Added new item related to malwares exploiting three separate 0-day vulnerabilties, so-called ‘naveed issues’.
1.9 20-07-2006 Added new Riler category Trojan description, added more Fantador based Trojan names
2.0 04-08-2006 Some minor fixes
2.1 08-08-2006 Added information about published Microsoft Security Bulletin MS06-048. Added new item related to vulnerable Windows/Office components.
2.2 20-08-2006 Added information about separate 0-day vulnerability reported in August (different title field used in related FAQ document)

Thanks to Internet Storm Center handler Bojan Zdrnja for his comments to this FAQ document.

Share
  • Pingback: nedatanet » New PowerPoint Vulnerability

  • Pingback: marcelo

  • Pingback: NTEK Technologies » Microsoft PowerPoint 0-day Vulnerability FAQ document written

  • Pingback: NTEK Technologies » Several updates in MS PowerPoint 0-day Vulnerability FAQ at

  • Pingback: SecuriTeam Blogs » Trojans found Word, Excel, PowerPoint - and Access

  • http://www.factoryfast.com.au toys

    There are indeed strange things going on with these office vulnerabilities. I suspect, at the start, that some hacker somewhere has found consistent security problems in office and is taking advantage of them all one by one. Microsoft is only reacting, not sorting out the main problem at all.
    Running VISTA now, I wonder how office is effected again.
    Where do these Malware people come from? I wish they would do a major crackdown or something. They’re getting as dodgy as drug dealers, in my opinion! I can imagine them hacking security issues in a dark club somewhere sniffing cocaine or something.

  • http://www.portraitkingdom.com oil painting portrait artists

    I can’t imagine having this same problem with word, excel and other files. If PowerPoint is now vulnerable to this I won’t wonder if someday other files will be affected. I hope newer OS can provide better security against people who have nothing to do but upset users.

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks for the feedback. There are many short sleeps behind related to these FAQ’s ;-)

  • http://www.berghexn.de Kanuverleih

    Thank You for another very interesting article.
    It’s really good written and I fully agree with You
    on main issue, btw. I must say that I really enjoyed
    reading all of Your posts. It’s interesting to read ideas,
    and observations from someone else’s point of view… it makes
    you think more. So please try to keep up the great work all the time.
    Greetings

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks for the feedback. It’s nice to notice that these FAQ documents give new information in 2007 still.

  • http://www.lotomy.pl bilety lotnicze

    “Microsoft PowerPoint 0-day Vulnerability FAQ [UPDATED]” – Good work. Cogratulations

  • http://www.skischule-berghexn.de/Skiverleih-Bayern/Skiverleih-Bodenmais.html Skiverleih Bodenmais

    thanks for the ressource list

  • http://www.ski-schule.eu Skischule Bodenmais

    nice site good job

  • http://www.my-wellness-berater.de Wellness Berater

    I can’t imagine having this same problem with word, excel and other files. If PowerPoint is now vulnerable to this I won’t wonder if someday other files will be affected. I hope newer OS can provide better security against people who have nothing to do but upset users.

  • http://www.hotel-neue-post.de Hotel Bayern

    Thanx a lot! This is very useful.

  • http://www.pay-per-click-ppc.com Pay Per Click

    Every day something new. Thank you for this article and interview!

  • http://www.vaysohbet.net Sohbet

    Sohbet, Chat

  • http://hotel-bayerischer-Wald.wellness-for-you.org Hotel Bayerischer Wald

    Thanks for very interesting article. btw.
    I really enjoyed reading all of your posts.
    It’s interesting to read ideas, and observations from someone else’s
    point of view… makes you think more. So please keep up the great work.
    Greetings

  • http://www.nocuj.com.pl Noclegi Polsce

    Great job you’ve made on this site, it helps me with overcoming my problems. Greetings.

  • http://www.epulpit.pl darmowe tapety

    It is good that someone writes articles which really matters something. Thank you for this article, it’s full of knowledge which is hard to find in tons of rubbish in our famous world wide web. Regards and good luck!

  • http://alldrugzocor.blogspot.com zocor

    I for the first time here, am very interesting , I will be now the constant reader.

  • http://www.tom-eko.pl klimatyzacja

    Thanks for help!.

  • http://www.audiophile.pl Car Audio

    makes you think more. So please keep up the great work.

  • http://www.onlineshop-artikelverzeichnis.de/ Artikelverzeichnis

    I can’t imagine having this same problem with word, excel and other files. If PowerPoint is now vulnerable to this I won’t wonder if someday other files will be affected. I hope newer OS can provide better security against people who have nothing to do but upset users.

  • http://www.trading-poland.com/ Hurtownie

    makes you think more. So please keep up the great work.

  • http://www.tor7.de Hörmann

    In this case, being essentially considered a criminal (and yes, they do consider legitimate webcasters criminals– it’s only a matter of time before they come out and say it…) even though you have tried to play by the rules is wrong, but otherwise unremarkable.

  • http://www.bigshop.com.au Online shopping

    I am a mac fan myself and have just got a new laptop with Vista and all the apps ie. powerpoint…. i hope they have it sorted now??