Microsoft PowerPoint Vulnerabilities

This week's Patch Tuesday is focused on PowerPoint vulnerabilities. Since PowerPoint files are frequently exchanged across organizational boundaries and are not blocked by most email gateways, this vector has been used extensively for targeted attacks in the past. At this point all customers should we well aware that attackers have been able to apply highly effective targeted fuzzing to the PowerPoint and other Microsoft Office file formats. Rapid7 expects that we’ll see more vulnerabilities in those products in the future.

Microsoft Office vulnerabilities present a unique threat to organizations because they provide a way for attackers to easily breech the perimeter firewall to gain access to internal systems through email and to spread throughout the enterprise using network shares, internal email or collaboration systems like Microsoft SharePoint and Lotus Notes. A single email with a malicious PowerPoint attachment could be enough to compromise the desktops of enough critical personnel to cripple even a large enterprise.

We believe that a defense in depth approach is crucial to protecting enterprises from these attacks. The Microsoft Office Isolated Conversion Environment (MOICE), combined with system protections such as Data Execution Prevention (DEP) reduce the risk of successful exploitation. Outbound firewalls, limited user accounts and network segmentation are also highly recommended best practices.

The MS09-017 security bulletin released today includes a fix for 14 new vulnerabilities. It is interesting that most of them were reported to Microsoft by researchers working through the iDefense and TippingPoint vulnerability acquisition programs, rather than researchers working directly with the vendor. We believe that this is another example of the increased value of vulnerabilities and the amount of effort required to find them. The large number of vulnerabilities in PowerPoint is not that surprising, considering the immense attack surface and poor code quality of the legacy file format parsers in Microsoft Office. Unfortunately for most organizations there are few alternatives to exchanging Microsoft Office with untrusted parties over email. Even PDF, which for years has been considered more secure than the Office file formats, has proven to be riddled with vulnerabilities that attackers are actively exploiting.

The only good news is that so far we have seen very few vulnerabilities in the new XML based file formats introduced in Office 2007, which means that the measures Microsoft has taken in recent years to increase code quality and security are bearing fruit. Organizations that can afford to make a complete break with the legacy products and file formats will have a better security posture than those still supporting them.

At least one of the vulnerabilities fixed in this bulletin was a public zero day vulnerability described in the 969136 security advisory from Microsoft (dated April 2, 2009). This vulnerability was discovered in the wild and has been used in limited targeted attacks, but widespread exploitation is not currently being observed. It is however likely that this vulnerability would become known to a larger number of attackers in the days after the Microsoft patch is released. Customers who are at risk of targeted attacks are advised to apply this patch promptly, but in most organizations the update can be applied within the regular patch lifecycle.

These new vulnerabilities fit a common pattern many organizations fail to recognize. For example, Adobe has been the hot target lately due to well-publicized Reader vulnerabilities that hackers have exploited, both in limited targeted attacks and in mass exploitation for building botnets. As administrators continue to be on the lookout for new issues and rush to patch Adobe flaws, hackers will now revert back to "old" attacks vectors that are not receiving as much attention, like PowerPoint and other Office vulnerabilities. The false sense of security around "old" threats is put to use all the time by hackers, and this see saw approach keeps them one step ahead of organizations.