Microsoft PowerPoint Vulnerability FAQ – September 2006, CVE-2006-4854 [UPDATED]

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft PowerPoint. The document describes related malwares as well.

==UPDATE: CVE-2006-4854 has been assigned ==

UPDATE #2: MS has informed that this vulnerability was addressed in Routing Slip issue
www.microsoft.com/technet/security/Bulletin/MS06-012.mspx, i.e. this issue is not a 0-day issue. Related CVE document is CVE-2006-0009.

It appears that several sources delivered erroneous (i.e. unconfirmed) information.

Q: What is the recent Microsoft PowerPoint 0-day vulnerability discovered in September?

A: This vulnerability is caused by an unknown error when processing malformed PowerPoint documents. The issue was disclosed via malware descriptions informing new Trojan exploiting undocumented, previously unknown vulnerability in Microsoft PowerPoint confirmed especially in product version 2000.

Q: How does the vulnerability mentioned work?

A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.

One of the security advisories published on 19th September states that this vulnerability is caused due to memory corruption.

Q: When this vulnerability was found?

A: The first information about the vulnerability was public on 16th September. The first malware description was published on Monday 18th September with minimum details.

Q: What is the mechanism in spreading?

A: This information is not available, but probably malicious files were spreaded via Web pages.

Q: Is this same critical vulnerability than vulnerability reported on 12th September with MS monthly Security Bulletins?

A: No. This is a different, unpatched vulnerability. Vulnerability in Microsoft Publisher fixed in MS06-054 is different issue.

Q: Which Windows versions are affected?

A: Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected to related Trojan horse. The vulnerability itself has been confirmed in Chinese version of Windows XP.

Q: What PowerPoint versions are affected?

A: It is reported that PowerPoint 2000 as part of Office 2000 is affected. Other PowerPoint versions can be affected too, however.

NOTE:

It is worth of noticing that other, newer PowerPoint versions are possibly affected as well. It is possible that Office 2000/Windows 2000 installation are used at target organisations of this case. Due to licence policy many companies don’t purchase new Office suites for older (W2K-type) computers.

Q: Is PowerPoint Viewer utility affected too?

A: This information is not available.

Q: What is the situation of Microsoft Works Suite?

A: Again, at time of writing there is no any official information about the state of Works products.

Q: Is Microsoft Office for Mac (versions X and 2004) affected in this vulnerability?

A: There is no information about this.

Q: I am using non-English version of Microsoft PowerPoint/Office. Am I affected?

A: As of 19th September it is impossible to say. Official information about affected language versions is not available yet.

NOTE: It is important to notice that when Microsoft released a patch for previous code execution 0-day vulnerability in PowerPoint the fix was available in all language builds. Security update for Office was available in 32 languages, i.e. non-Chinese versions etc. needed the fix as well.

It is recommended to avoid opening PowerPoint documents from untrusted sources on English-language and non-English systems.

Q: Where are the official Microsoft documents related to this case located?

A: Possible upcoming documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. If an official security advisory will be published the location of this advisory is Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.

UPDATE: Official Security Advisory is not expected due to fixed state.

Q: How can I protect from this vulnerability?

A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date. See related item discussing about opening PowerPoint documents.

Q: Is the exploit code of this vulnerability publicly released or is there PoC-type sample file of this vulnerability publicly available?

A: No.

Q: Is it safe to open any .PPT files any more?

A: It is very important not to open PowerPoint files from unknown sources: e-mail, Web pages, instant messenger etc.

Q: Are there any visual effects informing about the infection?

A: No.

Q: Are there any changes to file system made by related malware?

A: Yes. The following files are being dropped to the Windows %Systemroot% folder:

NetDDESvr.exe [size: N/A]

NetDDESvr.dllc [size: N/A]

msdel.dll [size: N/A]

Q: What are the names of malwares exploiting this vulnerability?

A: There is one dropper component for this malware. This dropper installs another Trojan which backdoor capacity.

The following names are used:

Trojan.PPDropper.E [dropper]

Backdoor.Trojan [general Trojan detection]

The list is not coverage yet.

At time of FAQ document release the most important point of view if the existence of backdoor capabilities. 0-day vulnerabilities in Office programs are widely used to industrial espionage during last months.

Q: My AV vendor doesn’t list names of these types at their Web pages. How do I know my AV software protects me?

A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet. The best way is to check the situation from your AV vendor.

This document will be updated to include new names assigned.

Q: Is there Internet Storm Center (ISC) documents available about the issue?

A: No.

UPDATE: Yes, Diary entry isc.sans.org/diary.php?storyid=1717 has been released.

Q: Is there CME name to this related malware available?

A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?

A: No.

Q: What is the file name used in related infection cases?

A: This information is not available. This FAQ document will be updated when information becomes available.

Q: Is there information about file size used?

A: Yes. The size of the Microsoft PowerPoint document is 1,072,128 bytes, more than one megabyte. It is not sure if the .PPT file extension is used.

Q: What is the content of the PowerPoint document?

A: This information is not available.

Q: Is any user interaction needed when opening malicious PowerPoint file?

A: No. Opening a malformed PowerPoint file triggers a vulnerability with malicious executable embedded inside the PowerPoint document.

Q: Is it safe to open PowerPoint documents coming from trusted, known sender during next days?

A: The answer is yes and no. These days you can’t trust that the sender information included to message PowerPoint file attached is truthful (if the attacker uses e-mail attack vector too). If You are not sure, You can always call to the sender if e-mail including .DOC attachments arrives unexpectedly.

Additionally, it is possible to include malicious Microsoft PowerPoint files as embedded files to Microsoft Word files, or Microsoft Excel files.

Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?

A: Yes. It is possible that attackers can locate malformed PowerPoint files to Web pages. In this case this method is reportedly used. Some other attack vectors are IM applications, USB sticks, removable drives, floppy disks etc.

Q: Does the filtering PowerPoint documents at network perimeter protect me?

A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: What is the vulnerable component affecting this vulnerability?

A: This information is not available, but probably the error is in Powerpnt.exe executable itself.

Q: When the fix to this vulnerability is expected?

A: It is impossible to say. Normally Microsoft security advisory includes information about the fixing timeline of unpatched vulnerabilities. The next monthly security updates are scheduled to 10th October, 2006.

Q: Is there CVE name available to this issue?

A: No. Submission to Common Vulnerabilities and Exposures project (cve.mitre.org) was done by the FAQ author on 19th September.

UPDATE: CVE name CVE-2006-4854 has been assigned:

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4854

Q: Is there any changes in widely known Internet threat meters of security vendors?

A: Yes. E.g. Symantc has raised its ThreatCon meter to Level 2 and states this vulnerability as unpatched on 22th September still.

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?

A: No.

Q: Is there information about the origin of related malware authors?

A: No.

The Chinese products confirmed as vulnerable tell only about the possibly target countries or possibly Chinese language test environment used by the attackers.

(c) Juha-Matti Laurio, Finland (UTC +3hrs)

Revision History:

1.0 19-09-2006 Initial release
1.1 19-09-2006 Several fixes, added information about 32 language builds released at MS06-048 update
1.2 19-09-2006 Added CVE name CVE-2006-4854
1.3 19-09-2006 Added information about fix in MS06-012, removed ‘0-day’ from title field
1.4 20-09-2006 Added link to ISC Diary entry, added CVE link CVE-2006-0009
1.5 20-09-2006 Generated CVE-2006-4854 hyperlink, updated advisory
1.6 22-09-2006 Added new entry about the state of Internet threat meters

Print Friendly, PDF & Email

Published by

Juha-Matti

Security consultant from Finland