“Death by PowerPoint” — it’s a common refrain from office workers inundated by one lifeless slideshow after another, desperately wishing a nap in the board room wouldn’t be noticed. But now there’s new reason to hate Microsoft’s big-name productivity tool: malware.
This is Not the File You’re Looking For
According to Lifehacker, Microsoft has released a security advisory about malicious Office files. Executing these files grants attackers the same permissions as whoever opens them, meaning they could potentially gain access to an entire network. What’s more, the vulnerability spans every release of Windows except for Server 2003. Microsoft’s Security TechCenter says that the malicious payload is part of an Object Linking and Embedding (OLE) component, meaning files must be opened to cause any harm. “In an email attack scenario, an attack could exploit the vulnerability by sending a specifically crafted file to the user,” notes the TechCenter statement. “In a Web-based scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file.”
Right now, this zero-day attack relies on PowerPoint files, but since all Office-based extensions support OLE, it’s possible a Word document or Excel spreadsheet could also be infected. Worst case? An attacker uses code like Trojan.Taidoor or Backdoor.Darkmoon to install new programs, delete data or create new admin accounts.
Microsoft says that to protect yourself from this kind of Office malware, you should start by turning on User Account Control (UAC) so you’ll at least get a warning — and have to give approval — before any kind of OLE code is executed. You can also lower the access rights of both your own account and those of other users, and make sure to open any Office files in Protected View.
It goes without saying (but here it is anyway) that you should avoid downloading or opening any unfamiliar Office files, especially since antivirus programs won’t target these trusted file types. In addition, most of these Office-based attacks rely on spear-phishing — if attackers can use social media and browsing data to track your actions online, they can more easily craft emails you’re likely to open rather than delete out of hand. Try a VPN to protect your actions online and make sure no one is poking their nose into your business.
Sand In Your Eyes
There’s more bad news for Microsoft: Windows IT admins aren’t safe from a Shellshock-type attack, previously thought to be a Linux and Unix-only problem. Researchers at a Belgian Security company recently found a way to replicate a command-line injection vulnerability in Windows shells scripts, which could allow malicious actors full access to vulnerable computers. It’s worth noting that this flaw isn’t present in official Windows scripting, but third-party Windows scripts pose real risk. This vulnerability extends even into new Windows 10 previews, according to Seculert CTO Aviv Raff; so long as users audit any outside scripts for access permissions the threat level should remain low — good to hear since Microsoft probably won’t patch this hole.
And guess what? This isn’t the first problem Microsoft has encountered with PowerPoint files. At the beginning of October, NATO and several European telecom companies were attacked by a group called the “Sandworm Team”. Using the CVE-2014-4114 vulnerability, these attackers leveraged OLE components to execute malicious code on target machines — just like the current zero-day issue. The difference? In Sandworm’s case Office files with corrupted CLEs linked to other, external files, requiring an active Internet connection for the hackers to complete their attack. The new version, CVE-2014-6352, doesn’t require this kind of outside action, meaning Network Intrusion Prevention Systems (NIPS) won’t spot the problem.
Although Microsoft issued a fix for Sandworm on October 14th, there’s no official patch for the new PowerPoint problem — and it hasn’t spread far enough to get a catchy name like Heartbleed or Shellshock. Still, the exploit should be on your radar, since Office files are so common and used by a host of different programs — some of which aren’t Microsoft approved or tested.
If you didn’t hate PowerPoint before, feel free to jump on the bandwagon, since a corrupted .PPT file could now mark the death of your computer.