Back with a vengeance: Fresh MS06-028 malicious PowerPoint documents

We have seen a few malicious PowerPoint documents come through the labs in the past few days. These malicious documents exploit the MS06-028 vulnerability, for which a patch has been available since June 21… 2006. Yes, that’s right — a patch has been available for more than 3 years.

If you were one of the responsible ones, having patched your system at some point before now, then by opening one of these malicious documents, you would see the following:

Though if you saw this message, it is debatable how responsible you are — you let yourself be coerced into opening a malicious PPT on your machine.

For the completely irresponsible out there — not having patched your system and remaining blissfully unaware of the many recent zero-day vulnerabilities — when you double-clicked one of these malicious PPT’s, you would notice a brief flicker on-screen before seeing the PowerPoint open a presentation to the following first slide:

Despite the fact that PowerPoint is now displaying a valid PPT file, you can be sure the malicious payload Troj/Protux-Gen has been dropped on your machine. The screen flicker is caused by the shellcode, which drops and runs another executable Troj/ReopnPPT-A that kills any open PowerPoint processes, removes the shellcode from the malicious PPT and re-opens PowerPoint with the newly disinfected presentation.

Sophos detects the malicious documents as Troj/ExpPPT-G. Clever buffer overflow protection mechanisms cannot help defend against these documents, since the exploit takes advantage of unchecked data in file parsing logic. In short, the vulnerability allows a pointer into the memory-mapped image of the PPT file to be calculated

and subsequently called.

For extra piece-of-mind, you can also check your PPT documents before opening them using Microsoft’s OffVis tool for parsing Office documents, which was released to the public about a month ago. It detects the exploit of several MS Office vulnerabilities, and indeed displays the following when examining a Troj/ExpPPT-G:

But this is all moot because you have already patched your system, right?