Microsoft has warned Windows users that cyber criminals are exploiting a zero-day vulnerability using malicious PowerPoint documents.

The vulnerability affects all versions of Windows except Windows Server 2003.

Microsoft has already released a Fixit tool that neuters known PowerPoint attacks but there is a risk that new attacks may yet spring up. The fix, found here, is not available for 64-bit versions of PowerPoint run on 64-bit versions of Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012 R2.

The exploit is a remote code execution vulnerability which means a successful attack would allow an attacker to hijack a PC after a user opens up an affected Office document, potentially opening the door for further attacks in the form of other malware then being planted, or to the theft of personal or sensitive data stored on the target machine.

In the case of a successful attack, the infiltrator would have access to the same privileges as the user which could be a significant problem for those who log on as an administrator, or those who get waylaid by a User Account Control (UAC) prompt that appears when the document is opened – Microsoft reports that a UAC prompt appears in every attack it is aware of.

While a UAC prompt appearing upon the opening of a document is not normal, many users may not be aware that is the case, again highlighting why security awareness is so important both within the business realm and among home users.

Of course it isn’t only Microsoft Office documents that pose a threat here – other files could do too if the corresponding application supports OLE (object linking and embedding) objects.

Commenting on the news, Sagie Dulce, security research engineer at Imperva said:

“This was recently discovered by iSight. They exposed a Russian hacker group they call SandWorm.

This vulnerability was used for the initial compromise. Using social engineering, this group gained initial foothold on machines, by convincing the victim to open a PowerPoint document.
The victim also had to click “allow” when opening the file, to allow a malicious code to be executed.

“According to iSight: “there have been several confirmed incidents in Ukraine, Poland, Western Europe and the United States since at least 2009. NATO, the public sector and private firms in energy and telecommunications have been targeted.”

“The malware identified related to this attack is BlackEnergy. Early version of which were used for DDos, spam and CC theft.

Because this campaign seems to be government sponsored, the malware was probably used to download additional components after the initial exploit (and not perform DDoS..)

“Apart from the newest zero day, these attackers exploited a range of Office related exploits, dating back to 2010.”

While Mark Sparshott, EMEA director at Proofpoint highlighted how the bad guys could employ phishing techniques to get infected emails onto a target system:

“Object Linking & Embedding (OLE) is legitimately used to display parts of a file within another file, e.g. to display a chart from an Excel Spreadsheet within a PowerPoint presentation. This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

The race is on. Cybercriminals will use phishing and longlining emails containing URL links to websites hosting malicious files that exploit this vulnerability or attach the malicious file to the email itself. While Microsoft and security vendors rush to close the security hole the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place. Organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files, unfortunately Proofpoint’s Human Factor Report highlighted that staff click on 1 in 10 malicious links on average so cybercriminals will see a lot of success before the security gap on this vulnerability is closed.”

Mark James, security expert at ESET made the point that the end user would need to initiate the attack in some way, thus highlighting yet again how technology can only take security so far:

“These particular attack vectors are created from a number of opportunities, either the user must be directed to an offending website or an email containing the compromised file would need to be opened. If directed to a website then an email containing a link with a promise of a reward or benefit would arrive in your inbox, which, if clicked, would present you with in this case a PowerPoint show or presentation (All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object) again containing some kind of enticing properties (celebrities are often used in these cases). If you are tempted to click and open the file you could open up the possibility of being infected by further malware.

Obviously in this case, and many other similar scenarios, the end user must initiate the means to be infected. User Account Control (UAC) will help protect you in these cases and is on by default in operating systems from Vista onwards. Users should also always be mindful of emails containing links or files even from sources they trust. It’s better to delete and ask the sender to send again than to chance being infected and opening up your whole business network to malware attack. Also, wherever possible, do not use an administrator account when working with emails. These vulnerabilities take on the same access rights as the account that executed the file, if that is full admin rights then you’re in a whole world of trouble.”

Lamar Bailey, director of security research and development at Tripwire played down the threat posed by the zero day, saying:

“This is not a major issue. The vulnerability is just an escalation of privilege issue and requires a watering hole attack and/or persuading the victim to open a file to exploit.  If a user can be convinced via email, instant message, social media, or in some manner to open a PowerPoint attachment then the attacker will gain the same user rights as the current user.

If the current user has the ability to install programs or access critical systems in the environment this could be used by attackers to gain a foothold in a network and the exploited system would be used as a base of attack.

Users should know better than to open attachments from unknown sources in email or downloading documents from random internet sites. A successful attack will likely spoof and email from an internal user or put a malicious file on a compromised site.”

While I agree that the issue shouldn’t be a major one for the reasons Lamar mentions, it is unfortunate that in 2014 not every user understands the need to be careful when opening emails or downloading documents, whatever their source.

Until at least a moderate appreciation of security issues is held by the population at large, such attacks will still, alas, continue to be successful for those that launch them.