From: InfoSec News (alertsinfosecnews.org)
Date: Tue Jul 18 2006 - 00:46:13 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.com.com/Microsoft+to+plug+PowerPoint+hole/2100-1002_3-6095181.html

By Joris Evers
Staff Writer, CNET News.com
July 17, 2006

Microsoft is readying a fix for a zero-day flaw in PowerPoint that is
being exploited in targeted cyberattacks, the company said Monday.

A patch is being completed and is scheduled to be released on Aug. 8,
Microsoft's next "Patch Tuesday," the company said in a security advisory.
The fix may be released sooner, if that is warranted, Microsoft said.

Word of the new PowerPoint flaw came last week, only a day after Microsoft
released seven security bulletins with fixes for 18 flaws on its July
patch day. The new PowerPoint problem could enable an attacker to gain
complete control over a vulnerable PC, if a malicious file is opened by
its user.

"In order for this attack to be carried out, a user must first open a
malicious PowerPoint document attached to an e-mail or otherwise provided
to them by an attacker," Microsoft said in its advisory.

The vulnerability affects PowerPoint 2000, PowerPoint 2002 and PowerPoint
2003. Attacks that exploit the flaw in the presentation application are
"limited," Microsoft said. Typically, they have to be widespread for the
company to issue a patch outside of its monthly schedule.

Some security experts believe the timing of an attack to follow right
after a monthly patch day is no coincidence. Microsoft typically does not
release fixes outside of its monthly patching cycle for such flaws, giving
miscreants at least a month to try to profit from them.

_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]