These attacks take advantage of a previously unknown vulnerability in PowerPoint for which no patch is available, security experts at Symantec said in an alert issued Wednesday. The flaw might affect Microsoft Office in general, according to the alert.
Microsoft is investigating the issue, it said in an e-mailed statement Thursday. The company is aware of attacks that exploit the flaw, but those are "extremely limited, targeted attacks," it said. For an attack to be successful, users must open a malicious PowerPoint file provided to them, for example via e-mail, Microsoft noted.
It seems like history is repeating itself. Days after last month's "Patch Tuesday," security experts raised the alarm on a "zero-day" flaw in Microsoft's Excel that was being used in targeted attacks. Microsoft released a fix for the Excel vulnerability on Tuesday.
Like the Excel flaw, the PowerPoint vulnerability can allow an attacker to gain complete control over a vulnerable PC, Symantec said. "When a user launches the (malicious) PowerPoint document, the vulnerability is triggered. Successful exploitation of this issue leads to remote code execution," Symantec said in its alert.
On Tuesday, Microsoft released seven security bulletins with fixes for 18 vulnerabilities in several of its products, including many in Office. Some security experts believe the timing of an attack right after a monthly patch day is no coincidence. Microsoft typically does not release fixes outside of its monthly patching cycle for such flaws.
"It looks like the bad guys are waiting for the Microsoft patch days in order to use some more vulnerabilities in Office," said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. "They will now have at least one more month for their attacks."
Microsoft said it will take action to protect customers upon completion of its investigation into the new flaw. This may include issuing a security advisory or providing a security update through its monthly release process, the company said.
Meanwhile, the software giant left two already known security vulnerabilities unfixed on Tuesday. One of the flaws lies in a Windows component called "hlink.dll" and could be exploited by crafting a malicious Excel file. Another affects Japanese, Korean and Chinese language versions of Excel. Both flaws could completely compromise a PC if a targeted user opens a malicious file.
Although Microsoft was aware of the two vulnerabilities prior to the July security bulletin release, both issues were reported too late in the engineering process for the company to include security updates with the July release, a Microsoft spokesman said.
Proof of concept code that exploits both flaws has been released publicly for both of these flaws, but there are no reports of active attacks, Microsoft said.
"So we have two old unpatched holes and one new one," Marx said. "We're up to three troublemakers now. Excel and PowerPoint can be quite dangerous, at least until the next patch day."
