Back with a vengeance: Fresh MS06-028 malicious PowerPoint documents

Filed Under: SophosLabs

We have seen a few malicious PowerPoint documents come through the labs in the past few days. These malicious documents exploit the MS06-028 vulnerability, for which a patch has been available since June 21... 2006. Yes, that's right -- a patch has been available for more than 3 years.

If you were one of the responsible ones, having patched your system at some point before now, then by opening one of these malicious documents, you would see the following:

Though if you saw this message, it is debatable how responsible you are -- you let yourself be coerced into opening a malicious PPT on your machine.

For the completely irresponsible out there -- not having patched your system and remaining blissfully unaware of the many recent zero-day vulnerabilities -- when you double-clicked one of these malicious PPT's, you would notice a brief flicker on-screen before seeing the PowerPoint open a presentation to the following first slide:

Despite the fact that PowerPoint is now displaying a valid PPT file, you can be sure the malicious payload Troj/Protux-Gen has been dropped on your machine. The screen flicker is caused by the shellcode, which drops and runs another executable Troj/ReopnPPT-A that kills any open PowerPoint processes, removes the shellcode from the malicious PPT and re-opens PowerPoint with the newly disinfected presentation.

Sophos detects the malicious documents as Troj/ExpPPT-G. Clever buffer overflow protection mechanisms cannot help defend against these documents, since the exploit takes advantage of unchecked data in file parsing logic. In short, the vulnerability allows a pointer into the memory-mapped image of the PPT file to be calculated

and subsequently called.

For extra piece-of-mind, you can also check your PPT documents before opening them using Microsoft's OffVis tool for parsing Office documents, which was released to the public about a month ago. It detects the exploit of several MS Office vulnerabilities, and indeed displays the following when examining a Troj/ExpPPT-G:

But this is all moot because you have already patched your system, right?

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s