Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

PowerPoint ZeroDay Vulnerability Exploited 140

Posted by Zonk
from the microsoft's-least-favorite-day dept.
whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case. From the article: "This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack."
This discussion has been archived. No new comments can be posted.

PowerPoint ZeroDay Vulnerability Exploited

Comments Filter:
  • by kcbrown (7426) <slashdot@sysexperts.com> on Sunday July 16, 2006 @05:41AM (#15727451)

    ...because more vulnerabilities will cause more people to consider switching to something like OpenOffice, right?

    Yeah right. The vast majority of the people who stick with Office these days are people who won't switch unless the alternative is 100% in every way, shape, and form "compatible" with (which to them means exactly the same as) Office.

    Must be nice to be Microsoft, where you don't have to give a shit about your customers...

    • by kripkenstein (913150) on Sunday July 16, 2006 @06:13AM (#15727507) Homepage
      "[...] people [...] won't switch unless the alternative is 100% in every way, shape, and form 'compatible' with [...] Office"

      Exactly. This is why we need to get these security vulnerabilities in MS Office to work in OpenOffice, ASAP. It's all about compatibility, baby.

      Seriously, though, I don't agree with the quote. Of course people want compatibility. But they also want security. Using MS office is a tradeoff: more compatibility, less security. When the tradeoff gets less comfortable, rational people will reconsider their options.
      • Using MS office is a tradeoff: more compatibility, less security.

        Yeah, because OpenOffice never has security problems!!11one!! [com.com].
        • Yeah, because OpenOffice never has security problems!!11one!!

          A) Who said OpenOffice didn't have security problems? Of course it does.

          B) As the dominant Office suite, MS Office has both security problems and actual exploits. TFA mentions one such. Of course OpenOffice is going to have fewer actual exploits, because it has less market share; all the money is in breaking into MS Office.

          Therefore, in practice, MS Office is less secure.
          • Then again, even if it was wholly compatable and faster, the majority of users out there don't even know that alternatives exist. They can't switch if they don't know an alternative exists. The majority of users see their computer as a mystical box that "just works" and see constant attack by spyware, adware, viruses and other malware as a price of using the computer. They think that Microsoft is required for their computer to run. They make a minimal differentiation, if any at all, between Windows, Office

          • Plus with an open documented format, you can weed out a lot of things by parsing the document...

            Embedded binaries, recogniseable shellcode, macros, and many other nasties embedded in an open document can be detected, and the xml data itself can be validated against the schema to further cut out a percentage of nasties...
            MS on the other hand uses a binary blob, which is much harder to sort through.
          • Therefore, in practice, MS Office is less secure.

            Quod non erat demonstrandum.

            Equally valid would be to say:
            premise 1: 30% of all traffic accidents are caused by drunk drivers...
            -> premise 2: Therefore, 70% of all accidents must be caused by sober drivers...
            -> conclusion: you are safer driving while drunk than sober.

            The security in OOo's case is the fact that there exists a body of developers who are more likely to fix (or accept patches for) vulnerabilities as they are found simply as a consequenc
          • Since you bring up the economic issues...

            Microsoft's marketing department has even less incentive than usual to repair this PowerPoint bug, or for that matter, other bugs in MS Office. Not with sales of the new version of Office just over the horizon. Since Marketing has always been the dominant department of Microsoft, I expect that the compahy will exhibit even more footdragging than usual in getting these bugs fixed.

            But OpenOffice.org is not driven by the same motivations. It appears that pride of wo

          • As the dominant Office suite, MS Office has both security problems and actual exploits. TFA mentions one such. Of course OpenOffice is going to have fewer actual exploits, because it has less market share; all the money is in breaking into MS Office.

            Marketshare has no relation to security problems. I know this, because everyone on Slashdot keeps telling me it's true.

      • When the tradeoff gets less comfortable, rational people will reconsider their options.
        50% of rational people already use OpenOffice. The other one doesn't own a computetr.
      • Of course people want compatibility. But they also want security.
        Nonsense. Most BAs couldn't ive a crap about security, and couldn't understand if you drew them a pretty picture using all 64 of their Crayolas. All they know is Power Point is what they know how to use and that is therefore the only tool for the job.

        Using MS office is a tradeoff: more compatibility, less security. When the tradeoff gets less comfortable, rational people will reconsider their options.
        Compatibility? With what? Other Of
      • first, for most people security just isn't worth very much. they want to be able to check it off on a list, but that's about it. MS Office says it's secure? ? done. compatibility - not just the ability to read, but the ability to look 100% visually the same - is a much, much bigger deal for most corporate folks outside of engineering.
        second, you're assuming a rational consumer. that is an invalid assumption that leads to the undoing of loads of business models. "consumers" should under no circumstances be u
    • If OpenOffice is about 95% compatible with Office 2003, then Office 2007 must be about 50% compatible with it. Does that suggest that people will switch to OpenOffice rather tha Office 2007?
      • by ozmanjusri (601766) <aussie_bob.hotmail@com> on Sunday July 16, 2006 @07:36AM (#15727657) Journal
        Does that suggest that people will switch to OpenOffice rather tha Office 2007?

        I'm running the beta of Office 2007 now, and there's no doubt that it's the biggest change to the Office interface since the switch from DOS. The new "ribbon" interface is a little easier of novices to do normal tasks with, but is a real hindrance to power users familiar with the '95-03 style Offices.

        Anyone who's already productive with the older apps will find it easier to shift to OOo than to Office 2007. There's a few new tricks under the hood of the suite, but nothing compelling enough to pay the cost of the new version. In fact, Access coders are definitely going to want to look for alternatives. The new version is pitched much more at desktop experimenters, to the serious detriment of professional developers.

        • Unfamiliarity is what stops a majority of people from using openoffice...
          Perhaps the radically different interface in msoffice 2007 will scare people away too, it's vastly different to current versions and openoffice, and just about any other app.

          As for being easier for newbies, macosx and modern linux distros are easier than windows for newbies too, the only thing keeping people away from them is being familiar with a different way of doing things.
        • Access "coders" need professional help. I mean of the psychiatric variety.

          Tools like Access are useful for desktop experimenters. Any "professional" developers using Access to write apps are failing to grow up and use a real database. Use msql, mysql, postress, DB2, Oracle, Sybase...

          If a heavy-duty database is not required, use Berkeley db. Do not be scripting a toy app for serious business use.

    • They only need compatibility with the features they're using, not every last feature.
  • by pieterh (196118) on Sunday July 16, 2006 @05:47AM (#15727464) Homepage
    The question people need to ask is not, "why should I switch to OpenOffice", but "what is the killer feature in MS Office that I absolutely need?" Do you really need to be able to run Word on a PDA? Do you need a smooth integration between Office and Exchange? Perhaps, but it's worth reevaluating.

    If the cost-benefit ratio is not strong enough to make the cost and insecurity worthwhile, abandon MS Office and use OOo. For most people it's a lot less painful than it sounds. I've even seen OOo spread like a fashion in some teams that were 100% Microsoft, as they discovered that OOo does actually work very nicely, and as they started using ODF as a standard in place of Microsoft's own formats. We did this a long time ago... we get a consistent set of tools on Windows and Linux, and documents that now conform to a global standard and which I know will still be readable in 20 years' time, whatever software or platform I'm using.

    There are many alternative office suites and OOo has its flaws, mainly it's a bit slow, but it has a feature set that hits 100% of what we've used - for documents, spreadsheets, simple graphics, and presentations - for years. And I don't get the feeling, when I run it, that I'm running a code base that has hundreds of undocumented backdoors, caused deliberately, or accidentally.

    • by Anonymous Coward
      Interface is everything.

      MS Office is hardly the best example of a good interface. However, it blows OpenOffice out of the water.

      Why do you think the popular glorified windowmanagers of Linux try to emulate Windows as much as possible? (Though in that case, it's really a moot point. At that level, familiarity of the interface is a far second to applications that are already and must continue to be in use.)
    • For a lot of people the killer feature is compatibility with the software everyone else is using. I run OO, and recently my wife updated her resume using it. Which was fine until she needed to email it in Word format to an recruitment agency (why they wouldn't accept PDF is beyond me). We used the export feature but the result just wouldn't render properly in Word. Luckily, we still had an old version of MSOffice lying around and that came to our rescue, but the fact that we needed it shows that using Open
      • Word resume (Score:3, Insightful)

        by lastberserker (465707)
        email it in Word format to an recruitment agency (why they wouldn't accept PDF is beyond me)

        Why? Because before the first living soul casts a glance on your resume it will be sifted for keywords, dragged through filters and rendered in some uniform way. And guess what, PDF is a presentation format, not a data storage format - there is no guarantee that you get the original textual data back from an arbitrary PDF document. So they don't accept any PDFs.

        • I got one recruiter to admit it to me, and I've seen the results from the other side:


          They edit your resume.

          They take your name off, or at least your contact info. They add their own banner across the top. Lord only knows what else they might do to "enhance" your resume.

          Really, I don't want that kind of "help".

          • They take your name off, or at least your contact info. They add their own banner across the top. Lord only knows what else they might do to "enhance" your resume.
            Really, I don't want that kind of "help".


            That applies regardless of if you are a looking for a job or looking for workers...
      • I find this to be a pretty moot point. Depending of which version of word you are using, things can start to look very different. I've often saved docs in one version of word, only to open them up in another version, and have all the formatting messed up. This is especially true for things like Resumes which contain more than just basic formatting. Also it looks like crap when opened in word, because there's tons of words that aren't recognized, and they are all underlined in red. By far the biggest p
      • The resume probably ended up with a recruiting agency banner over the top, all of your wife's contact info deleted, and various odd "improvements" that could cause an awkward situation in the interview.

        They really do this. Nice, huh?
    • The question people need to ask is not, "why should I switch to OpenOffice"

      The question people should have been asking since 1992 is "why should I be doing a powerpoint or clone of it when a web presentation of some form can be used later and will work on something that is available if my laptop does not like the projector, gets dropped or other problems." Going out to buy the latest version of MS Office a few minutes before the presentation because some guy has a powerpoint presentation with embedded avi

      • There are a couple different variable here. First, powerpoint allows people to do computer based presentations that otherwise couldn't. Powerpoint also automates the bells and whistles so people feel powerful. I personally feel that powerpoint allows us to produce the whiz bang presentations that are useful when we have no useful content, which could be a good or bad thing. I think many people are addicted to it, in the same way they are to the style control in Outlook.

        This leads to the second variabl

        • Powerpoint really doesn't do anything extra for the presentation. It helps the lazy presenter, for which I am grateful, but I don't believe it helps the audience.

          One of the lesser used features of Opera is the Opera Show Presentation [opera.com] format which is a nifty (albeit non-standard) way of presenting a slide show (power point like) presentation which is also represented in CSS and HTML. This could be the basis for the "web based" presentation.

          As far as the point about web-based presentations goes, your comm

    • by tdvaughan (582870) on Sunday July 16, 2006 @06:40AM (#15727551) Homepage

      And I don't get the feeling, when I run it, that I'm running a code base that has hundreds of undocumented backdoors, caused deliberately, or accidentally.

      I, too, have become so much safer since I turned off my antivirus software and instead relied on good old, tried-and-tested intuition to detect malicious software and vulnerabilities.

      • "Luke, you switched off your targeting computer. What's wrong?"
        "Nothing. I'm all right."
      • I, too, have become so much safer since I turned off my antivirus software and instead relied on good old, tried-and-tested intuition to detect malicious software and vulnerabilities.


        You too? I got rid of mine when I realised that I was spending far more time cleaning up after the crashy and slow antivirus software than I would have spent reinstalling windows after the (rare) virus infections. One of those cures that's worse than the disease.
    • The question people need to ask is not, "why should I switch to OpenOffice", but "what is the killer feature in MS Office that I absolutely need?"


      A presentation program that doesn't look like complete shit [wikipedia.org].

      -Grey [wellingtongrey.net]
      • I feel the same way about PowerPoint [apple.com].

        PowerPoint is fugly. It is only very, very slightly better (aesthetically) than OpenOffice.org Impress. Either use Keynote (which is usuable by people with very limited computing knowledge, and can generate easy to distribute QuickTime presentations), or put together a moderate budget and create an honest-to-god animation/video.

        PowerPoint is overused, and is totally inadequate for most situations. Keynote outperforms it by a huge margin; and you can get Keynote+a Mac Min
    • I have office installed on one of my alternate less important systems, and I still have to switch over to it for a few things that I've grown accustomed to that I cant find in Open office, at least not thats privided with the install package. One thing I've grown to enjoy out of MS Office is the evnelope and letters wizards, while OO has a very simple version of these the one in MS Office is much more developed and easier to use and setup, and I find myself switching computers and pulling up those wizards
    • unfortunately, in our company (and in many others, from folks i've talked to), that "killer feature" is the ability to create something which looks 100% "correct" on what the majority of people you communicate with use. we don't get MS Office for our engineers, and instead issue them OpenOffice (really NeoOffice, since we're a largely Mac shop); they don't prepare Office docs for consumption outside the company, only rarely for inside the company (outside System Engineering, which i'm embarrassed to say pro
      • Suggestion: PDF everything (as you noted), and for Presentations, use Quicktime.

        A presentation created in Keynote using the Quicktime format is easy to distribute, plays everywhere, and is vastly more "visually" appealing than a PowerPoint.

    • doc is broken, why keep using that format?

      If you are in a technical field, consider LaTeX. I personally love LyX, a frontend for LaTeX that lets you see what you are doing (instead of just use a text editor to hack tex code).

      Great output, great control, great everything but rough learning curve, unless you use LyX.

      I still have tex files from over a decade ago that work fine. How many Word files from 1995 work fine for you?

      And the new 1.4.2 PC LyX installer is 10x better than the old one, it automatically
  • Even if I open a ppt attachment by mistake, it will launch into OpenOffice. The law of diminishing returns makes far less likely that an exploit intended for one office suite used by the masses is going to work on another. That's no reason to be complacent or less vigilant, but it's just one extra layer of security between me and the attacker.
    • I'm sorry but what does the law of diminishing returns have to do with exploits??
      • Put yourself in the shoes of a hacker. Do you waste a disproportionate amount of time writing an exploit that snags 0.01% of users who might a ppt association but it loads into another presentation app and who may not even be running Windows, or do you write one which targets the 99.9% of recipients who are running Windows and PowerPoint?

        i.e. do you waste a lot of time for a minimal gain or go for the lowest hanging fruit?

        • OK, I got what you said, it was the wrong way you wrote it that confused me:

          The law of diminishing returns makes far less likely that an exploit intended for one office suite used by the masses is going to work on another.
        • Are you suggesting that the number of people who do not use Office to open PPT documents is small? I think targeting Office is in fact highly effective.
          • Yes, the number of people opening a ppt with something other than Powerpoint is diminishingly small. It would be a waste of time writing an exploit for that scenario. Hence the reason that machines with a heterogenuous mix of software are far less vulnerable as a rule than those running purely Microsoft stuff.

            It doesn't mean they are immune and common sense security still applies, but they are far less likely to be infected in the first place. Secondly, even if you caught a dose, the payload might not wor

    • Just remember to keep OpenOffice.org up to date as well. Current version is 2.0.3 - updated to patch 3 security holes [zdnet.com].
  • ... why does there have to be a news story about every one?
    if you are really concerned, rather try these rss feeds:
    http://www.us-cert.gov/channels/techalerts.rdf [us-cert.gov]
    http://secunia.com/information_partner/anonymous/o .rss [secunia.com]

  • by r4d1x (779518)
    I think its great that /. gives me all the news that I care about, but I'm really starting to second guess it. IE: this article is a weekend killer knowing that I will now have to push over 1000 IAVA's sometime in the near future......
  • Good (Score:3, Funny)

    by tomstdenis (446163) <tomstdenis@@@gmail...com> on Sunday July 16, 2006 @06:21AM (#15727518) Homepage
    Now I have an excuse for all those stupid sales presentations I've skipped. :-)

    Tom
    • Now I have an excuse for all those stupid sales presentations I've skipped. :-)

      Its got so bad now where I work that we have a powerpoint presentation (with a big screen and projector) at the annual christmas function.

      Its not about work or anything its just that ppt seems embedded in the thought processes of our managers.

  • It appears to me that it is hard to find software that cannot be exploted somehow, given enough time to dig into every possible way of doing so. Isn't this an indication that there is simply something wrong in the way software is put togeather and executed? Maybe the people who design API's, compilers and whatever is used to make software needs to rethink the way the stuff works... or maybe software is quite simply such a complex task of engineering that to keep it possible, it must also be possible to ex
    • The problem is many fold but two such problems are

      1. Lack of proper design, often caused by

      a. Addition of new team members during product cycle who don't have a clue
      b. Retention of old team members [yet to be promoted] that don't have a clue
      c. Features added mid cycle

      and

      2. Poor implementation

      a. Not all developers use the same coding style
      b. Most developers are not thorough enough to verify their code

      Basically you have a poorly maintained product design being implemented by people who often don't have
      • I see your points. I'm not a professional software developer, but end up doing some coding every now and then to achieve things nessesary for my work, quite simply since my company doesn't have resorces to hire a professional for all such things. None of this code gets any lasting importance however, which I consider important.

        I am however noticing that the developer world here in Norway(which I encounter from time to time) seems to be professionalising allot. Maybe its a sign of better things to come, w
    • One of the things that has bitten Microsoft again and again is this common tendency among multiple groups to embed powerful tools in document handling applications. ActiveX in Internet Explorer and the MS HTML control, the myriad scripting tools in Microsoft Office, and of course the very design of .NET is based on the idea that you can "trust" certain documents and allow them to run effectively native code components.

      This is fundamentally different from the way just about everyone else does things, but Mic
    • I think it's just a matter of cost. As a piece of (commercial) software approaches absolute security, the cost of development approaches infinity. (maybe not quite THAT extreme, but you get the idea :) For OSS, as it approaches absoulute security, you get version 0.5, 0.9, 0.99, 0.999, etc. So what we end up with is 'good enough'.
  • I wonder how you address a ZeroDay flaw [unless it means something else] in previous patches. One could argue that they should've found it first, but most *true* anti-ms sentiment is that they don't fix known bugs.
  • by ettlz (639203) on Sunday July 16, 2006 @07:04AM (#15727598) Journal
    He he, "PowerPoint"! When will you people give up and use LaTeX/Beamer like everyone else?!
  • Is this a new Office extension or something? "Share your important confidential presentations with everyone, instantly! Only with PowerPoint ZeroDay!"
  • Couldn't understand TFA - so I'm waiting for some nice helpful spammer to send me a PowerPoint presentation on this vulnerability.
  • Microsoft hardening Windows? Hardly. This latest wave of office exploits is rather a result of the excel exploits found some weeks ago. If one application in a suite is found to contain exploitable bugs then the other ones are likely to exhibit the same behaviour. It's all about return on investment.
  • There is related Frequently Asked Questions document published too, it was mentioned at CVE entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2006-3590 [mitre.org] of this PowerPoint vulnerability:
    http://blogs.securiteam.com/?p=508 [securiteam.com]
  • "Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows"

    Um. Isn't "lower hanging fruit" the easier fruit to get? I think you mean just the opposite, Mr. Editor.

  • "ZeroDay" is too buzzwordish. Plus, bicapitalization is lame.
  • by DavidD_CA (750156) on Sunday July 16, 2006 @04:40PM (#15729405) Homepage
    The summary really should have linked to this page which describes the virus in a bit more technical nature. Not "reporter speak".

    http://www.symantec.com/enterprise/security_respon se/writeup.jsp?docid=2006-071212-4413-99&tabid=2 [symantec.com]

    Apparently the victim launches the PowerPoint slide show (probably spread via email like every other virus) and it uses PowerPoint to drop the virus and infect the machine. Although the link doesn't say, my guess is that it does this without prompting the user if it's okay to run a macro.

    The virus also displays a slide full of Chinese (?) characters. Anyone know what that translates to? "All your slide are belong to us"?
    • Gee. Wonder why it's not written for the techie/slashdot crowd. Huh. Oh yeah, it's The Washington Post. It has to be understandable to people who aren't complete geeks.

      According to a writeup [sans.org] at the SANS Internet Storm Center, the message generated by the virus reads: "What is love? Sending her 999 roses knowing she doesn't love him. What is waste? Sending her 999 roses know she loves him." That SANS advisory also notes that 3 (count 'em THREE) proof of concept exploits have been published for this vulne

No problem is so formidable that you can't just walk away from it. -- C. Schulz

Working...