Microsoft PowerPoint Vulnerability FAQ - August 2006, CVE-2006-4274 [UPDATED]
August 20th, 2006 by Juha-Matti, Filed under: Microsoft, Commentary, Virus, Corporate Security
This is Frequently Asked Questions document about the latest Trojan case against vulnerability in Microsoft PowerPoint. The document describes related malwares as well.
Update: New CVE name updated to the title field, 0-day information removed.
NOTE : According to the new information this is not 0-day vulnerability, it is related to patched MS06-012.
NOTE#2: On 25th August: Added information about the state of CVE-2006-4274 and CVE-2006-0009
Q: What is the recent Microsoft PowerPoint Trojan case related to patched vulnerability?
A: UPDATE: This vulnerability is caused by an error when processing malformed PowerPoint documents using a Malformed Routing Slip Vulnerability - CVE-2006-0009. The issue was disclosed via malware descriptions informing new Trojan exploiting undocumented vulnerability in PowerPoint. New information was published during 21th August and 22th August stating this as issue Trojans exploiting machines not patched with MS06-012 security update.
I.e. the original information icluded to the first published Trojan description was erroneous and new information states this not as zero-day vulnerability.
Q: How does the vulnerability mentioned work?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.
UPDATE: An attacker could exploit the vulnerability with a specially crafted routing slip in Microsoft Office document. Malware exploiting this vulnerability is Trojan horse type malware and this malware mentioned attemps to download malicious files with keylogger features.
The Trojan generates a hidden Internet Explorer (iexplore.exe) process, executes as a thread of this process mentioned and finally connects to Web sites at [removed].com.tw and 61.218.[removed].
Q: When this case was found?
A: The first malware description was published on Saturday 19th August. There is information about samples received by the same AV vendor on 17th August already.
UPDATE: As of 21th Aug 20:00 UTC there is no any confirmation from Microsoft available. UPDATE #2: Microsoft has confirmed that this issue is related to MS06-012.
Q: Is this one of the critical vulnerabilities reported on 8th August with MS August Security Bulletins?
A: No. This is a different vulnerability. Vulnerabilities fixed in MS06-048 are different issues.
Q: Which Windows versions are affected?
A: Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.
Q: What PowerPoint versions are affected?
A: UPDATE: It is reported that PowerPoint XP as part of Office XP (aka 2002) SP3 is affected. Microsoft Security Bulletin MS06-012 lists versions Office 2000 Service Pack 3 including PowerPoint 2000 as affected too, however.
NOTE: It appears that version 2003 is not affected.
Q: Is PowerPoint Viewer utility affected too?
A: UPDATE: No. Microsoft has confirmed the state of PowerPoint Viewer by e-mail. PowerPoint Viewer utility is not affected.
Q: Is Microsoft Works Suite affected too?
A: At time of writing there is no any official information about this. UPDATE: Security Bulletin MS06-012 lists Works Suite versions 2001, 2002, 2003, 2004, 2005 and 2006 as affected.
Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no information about this. UPDATE: MS06-012 lists Microsoft Office X for Mac and Microsoft Office 2004 for Mac as affected, but the affected product is Excel, not PowerPoint.
Q: I am using non-English version of PowerPoint. Am I affected?
A: As of 20th August it is impossible to say. Exact information about affected language versions is not available yet.
UPDATE: Microsoft Security Bulletin MS06-012 includes fixes to all language versions of PowerPoint products i.e. patch is needed to localized versions too.
It is recommended to patch all language versions of Office systems to avoid the infection.
Q: Where are the official Microsoft documents related to this case located?
A: Possible upcoming documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. If an official security advisory will be published the location of this advisiory is Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.
UPDATE: The following MSRC entry has been released:
blogs.technet.com/msrc/archive/2006/08/23/449075.aspx
Due to patched state of related vulnerability no Security Advisory is expected.
Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date. See related item discussing about opening PowerPoint presentations.
UPDATE: Apply a patch MS06-012 as soon as possible:
www.microsoft.com/technet/security/bulletin/MS06-012.mspx
Q: Is the exploit code of this vulnerability publicly released?
A: No.
Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.
Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknown sources: e-mail, Web pages, instant messenger etc. if machine is not patched with MS06-012 update.
Q: Are there any visual effects informing about the infection?
A: UPDATE: It is reported that Trojan downloads files the following locations and executes the downloaded files:
Windows %System%\comine.exe
Windows %System%\comnie.exe
Q: Are there any changes to file system made by related Trojan malware?
A: Yes. File with .exe extension is being copied to the Windows Temp folder when the malicious .PPT attachment is opened. The file mentioned is randomly named. The Trojan seeks the location of Temp folder in the following order:
* C:\Documents and Settings\{current user}\Local Settings\Temp
* C:\Windows\Temp
* C:\WINNT\Temp
Folder name ‘Winnt’ is used in older OSs, Windows 2000 and NT4.0.
Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one Trojan and one dropper component for this malware. The following names are used:
Trend Micro:
TROJ_MDROPPER.BH [dropper]
TROJ_SMALL.CMZ [Trojan]
Sophos:
Troj/Small-COA [Trojan]
Symantec:
Trojan.PPDropper [dropper]
Keylogger.Trojan [Trojan]
McAfee:
Exploit-MS06-012 [dropper, heuristically detected]
Downloader-AYB [Trojan]
Kaspersky:
Trojan-Downloader.Win32.Small.doa [Trojan]
CA:
Vet: Win32/SillyDl.AVW [Trojan]
iRiS: Win32/SillyDL.1rb!Trojan [Trojan]
F-Secure:
specific files reportedly detected
Unknown vendor:
Exploit-MS06-012!ppt [dropper]
The list is not coverage yet.
Some AV vendors have reported they have a sample file and analysis have been started.
Q: My AV vendor doesn’t list names of these types at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of weekend etc. The best way is to check the situation from your AV vendor.
This document will be updated (again) to include new names assigned.
Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released the following Diary entries: isc.sans.org/diary.php?storyid=1618 and isc.sans.org/diary.php?storyid=1621
Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.
Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: This information is not available.
Q: What is the file name used in related infection cases?
A: This information is not available. It appers that the malicious file was not spreaded with e-mail. At time of writing it is not known are there malicious Web sites spreading this file mentioned.
Q: Is there information about file size used?
A: Yes. The size of the PowerPoint file is 71,168 bytes. Additionally, is appears that the .PPT file extension is used.
Q: What is the content of the PowerPoint presentation?
A: This information is not available.
Q: Is any user interaction needed when opening malicious PowerPoint file?
A: No. UPDATE: It is reported that closing a malformed PowerPoint file triggers a vulnerability.
Q: Is it safe to open PowerPoint presentations coming from trusted, known sender during next days?
A: The answer is yes and no. If you have applied MS06-012 patch and your anti-virus software is updated and it is confirmed that it recognizes this related malware AV software will protect you. If you want protection of one hundred percent you can save presentations first and scan them with your AV software.
These days you can’t trust that the sender information included to message PowerPoint file attached is truthful (if the attacker uses e-mail attack vector too). If You are not sure, You can always call to the sender if e-mail including .PPT attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Power Point files as embedded files to Microsoft Word files, or Microsoft Excel files.
Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed PowerPoint files to Web pages.
Q: Does the filtering PowerPoint documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.
Q: What is the vulnerable component affecting this vulnerability?
A: UPDATE: MS06-012 reports file Msroute.dll as vulnerable component, however.
Q: Is there CVE name available to this issue?
A: Update: Yes, CVE name CVE-2006-4274 was assigned on 21th August. Link to the CVE document is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4274.
Specific CVE name related to vulnerability included to MS06-012 is CVE-2006-0009:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009
UPDATE: Due to the new state of the issue CVE-2006-4274 is related to the original state of the issue now. The vulnerability itself is described at CVE-2006-0009.
Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit functionality included.
Q: Is there information about the origin of related malware authors?
A: No. It is known that one of the target Web sites used is located in Taiwan area.
(c) Juha-Matti Laurio, Finland (UTC +3hrs)
Revision History:
1.0 20-08-2006 Initial release
1.1 20-08-2006 Minor fixes, added some hyperlinks
1.2 21-08-2006 Some minor fixes
1.3 21-08-2006 Added information about the lack of confirmation from Microsoft and the state of malware descriptions
1.4 22-08-2006 Added CVE name to the title and to related item, added new ISC Diary link
1.5 22-08-2006 Added link to NVD version of CVE-2006-4274
1.6 22-08-2006 Removed information issue being 0-day vulnerability, related changes done, added new Trojan/dropper names, added credits
1.7 23-08-2006 Added new Trojan/dropper names (McAfee, Kaspersky), updated the Trojan characteristics and added information about working CVE link
1.8 24-08-2006 Added link to released MSRC entry and updated the document with detailed information
1.9 24-08-2006 Added new Trojan name (CA), added F-Secure detection as well
2.0 25-08-2006 Added information about the state of CVE-2006-4274 and CVE-2006-0009
Updated items include word ‘UPDATE:’
Thanks to anonymous anti-virus companies for providing sample and description related information.
Dear Microsoft, I have informed the latest state of the issue to three security mailing lists on 22th and 23th Aug
-
Is your site safe from XSS Attacks? Use Active Network Scanning to protect your network!
Subscribe
Subscribe
[…] - Several updates done on 15th Jul and 17th Jul and 8th August, 2006. NOTE: Several Riler category Trojan descriptions included It is worth of noticing that there is a separate 0-day vulnerability reported in August too. […]
[…] Update # 20:00 UTC: Internet Storm Center has released related Diary entry. Update # 22:00 UTC: Added information about changes in Trend TROJ_MDROPPER.BH write-up. Update 21th Aug: There is a new FAQ document released too. […]
Microsoft Sux!! Deleting files at network drive do not go to recycle bin. Stupid Bug.
This is just only a new trojan and *NOT* a new flaw.
[…] As was reported yesterday, there seems to be a new issue with PowerPoint. Reader Juha-Matti has put together a comprehensive FAQ about the situation. He is soliciting comments via his FAQ page, see the links at the bottom. More details coming as this develops.Marcus H. SachsDirector, SANS Internet Storm Center […]
[…] A new and potentially damaging vulnerability has been discovered in Microsoft PowerPoint. SecuriTeam have posted some information on it: […]
[…] Trendmicro has released details on two new trojan droppers in Microsoft Power Point. Looks like another 0-day where a malformed PPT document allows for code execution. A FAQ is in the works here. […]
Trend Micro says this is not a 0-day exploit, but exploit an old flaw (MS06-012).
“This Trojan is not a zero-day exploit. It attempts to exploit the Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability. It is seen that this Trojan has a similarity with other malware exploiting the said Vulnerability. Note that the shell code of the sample is actually located in the routing slip record. However, the shellcode does not manifest the said behavior.”
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMDROPPER%2EBH&VSect=T
according to Stephen Toulouse, a program manager in the MSRC (Microsoft Security Response Center), the vulnerability has already been resolved by an update.
Thanks for the comments. I am aware of the new investigations by TrendMicro and I will update the FAQ when they confirm this information by e-mail.
Trend Micro has updated its TROJ_MDROPPER.BH description. The updated document states that dropped PowerPoint file exploits an older MS06-012 vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
British Sophos, e.g., has assigned new description entitled as Troj/Small-COA,
link:
http://www.sophos.com/virusinfo/analyses/trojsmallcoa.html
The document and title field will be updated soon.
[…] I’m having to make sure I put the date in the title of these posts now…. over the weekend there were rumors of a new powerpoint vulnerability. Sans had an early notice of some trojan droppers using powerpoint files. And by the 20th (Sunday) it was being called a 0-day. There is a good FAQ over at securiteam.com. […]
I note the lack of info on PowerPoint viewer: anybody know about OpenOffice?
Good question, I have asked the situation from Microsoft now. Only Excel 2003 Viewer was mentioned as affected in MS06-012.
[…] New information on the PowerPoint issue has arrived. Turns out the droppers involved exploit a known vulnerability in MS Office routing slips, which was addressed in March. More info in the FAQ. […]
[…] Oh and finally the PowerPoint vulnerability. If you open a PowerPoint file, make sure you know where it came from. It could contain a Trojan (a program that secretly takes control of your PC). So even if the e-mail says that this is a very funny joke, just click on this file joke.pps Please don’t. SANS Handler’s Diary Posting by Juha-Matti http://isc.sans.org/diary.php?storyid=1618 Securiteam Blog Posting http://blogs.securiteam.com/?p=559 TrendMicro Malware Information http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMDROPPER%2EBH&VSect=T http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSMALL%2ECMZ&VSect=T […]
To ‘p1′: Reply from Microsoft states that PowerPoint Viewer is not affected. Document updated.
[…] “It is important to be aware of malicious Office files (.PPT, etc.) located on Web pages and shared via instant messengers, etc. too,” adds Laurio. “As mentioned in the FAQ document, many times it is worth calling the sender and asking if he or she sent .ppt attachment that arrived unexpectedly.” […]
[…] "No slo de Office viven las mafias informticas" En los ltimos meses, la suite Microsoft Office ha sido vctima de una oleada de vulnerabilidades que se han hecho estratgicamente pblicas cuando todava no se haba desarrollado un parche oficial. Se ha establecido una nueva tendencia que ha transformado a los documentos Office en principales sospechosos de contener troyanos y puertas traseras, convirtindolos en objetivo de atacantes. Pero no es el nico software ofimtico susceptible de ser atacado. En anteriores boletines se a informado puntualmente de la aparicin de vulnerabilidades 0 day en Microsoft Office. Casi todos los componentes de esta suite (PowerPoint, Excel, Word…) han sido vctimas de graves problemas de seguridad que permitan la ejecucin de cdigo arbitrario si se abra un documento especialmente manipulado. Sin ir ms lejos, y como ltimo ejemplo conocido, el da 19 de agosto se alert de un nuevo malware que puede estar aprovechando una nueva vulnerabilidad en Microsoft Powerpoint. A travs de un archivo con formato ppt, podra llegar a ejecutarse cdigo arbitrario con los permisos del usuario que abriese el documento. Aunque puede estar relacionada con las vulnerabilidades descritas en el boletn MS06-048, este problema es nuevo y no estara documentado hasta el momento. No existe exploit pblico, aunque se sabe que circula malware capaz de aprovechar el problema. A la vista de este continuo desfile de problemas de seguridad cabe preguntarse si la malsana fijacin con la suite de Microsoft se debe a que es la ms insegura o la ms popular. Un suceso dado a conocer por Symantec vuelve a confirmar que la suite ms utilizada ser siempre la ms atacada, y que si se cierra una puerta se abrirn otras de forma que los atacantes siempre consigan un buen margen sobre el que trabajar. Ichitaro es un procesador de textos de la compaa japonesa Justsystem, una empresa con ms de 20 aos de experiencia en el sector. Debido a las obvias diferencias de lenguaje, no es de extraar que un producto autctono y concebido especialmente para esta cultura tan distinta a la occidental, disfrute de un gran xito en aquel pas. Aunque existen versiones japonesas de Microsoft Office, Ichitaro es muy utilizado en gobiernos e instituciones educacionales, y goza de una buena salud, segn indican sus quince versiones principales existentes y la existencia de versiones para Linux y Mac. Segn ha informado Symantec, se ha detectado un ataque que aprovechaba una vulnerabilidad de desbordamiento de pila en este software, y que permite la ejecucin de cdigo arbitrario en el sistema. Segn John Canavan, autor de la alerta, el ataque incluye la descarga (a travs de Tarodrop) y uso de un troyano llamado Infostealer.Papi utilizado para espiar a la vctima y enviar informacin a los atacantes. No se tienen datos exactos sobre la popularidad o alcance del ataque, pero sin duda representa un incidente interesante para la reflexin. En la continua bsqueda de negocio y datos secretos conseguidos a travs del espionaje, las mafias informticas son bastante eficientes. Si este software es popular entre las instituciones pblicas y usuarios japoneses, no han dudado en buscar vectores de ataque que descarguen un troyano capaz de infectar los equipos de este pas si eso les reporta beneficios. Si en Japn o cualquier otro punto del planeta se hubiese utilizado cualquier otro programa, (OpenOffice, Microsoft Word, AbiWord…) de forma mayoritaria, es seguro que tambin hubiesen conseguido encontrarle algn problema grave que permitiera la ejecucin de sus cdigos dainos. Las vulnerabilidades 0 day destinadas a pasar inadvertidas y conseguir una propagacin limitada pero duradera, no son por tanto exclusivas de una marca o compaa, sino patrimonio de cualquiera que sea usada por la cantidad suficientes de personas como para suponer un jugoso objetivo. Ms informacin: Justsystem’s Ichitaro zero-day used to propogate Trojan Symantec Security Response Weblog: Justsystem’s Ichitaro zero-day used to propogate Trojan Vulnerabilidad en Microsoft Powerpoint confirma una nueva tendencia (17/07/2006) Vulnerabilidad en Microsoft Powerpoint confirma una nueva tendencia - Hispasec - Una al da 17/07/2006 Microsoft PowerPoint 0-day Vulnerability FAQ - August 2006 SecuriTeam Blogs Microsoft PowerPoint Vulnerability FAQ - August 2006, CVE-2006-4274 [UPDATED]Fuente __________________ habitual ! […]
[…] Juha-Matti over at Securiteam has put together an FAQ on the latest zero-day exploit for PowerPoint. Link here. […]
I got the knowledge about the latest Trojan case against vulnerability in Microsoft PowerPoint. It will help me in future.
Thank you
Damon Thomas