25 October 2014
Microsoft has published a temporary fix following the discovery of a new zero-day flaw that affects almosts all versions of Windows and is currently being exploited via PowerPoint.
The flaw, which affects all Windows releases except Windows Server 2003, can be exploited if a user is coaxed into opening a malicious Office file containing an OLE (object linking and embedding) object, the feature which enables users to edit a PowerPoint file from within another Office application such as Word.
In an advisory, the company said: “At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint".
A successful attacker would gain the same rights as a logged-in user and could put other programs on an infected computer. Microsoft said some attacks that compromise accounts without administrator rights may pose less of a risk. It added that attacks could occur via email, with the attacker sending a potential victim a malicious file or by convincing them to visit a compromised website containing “specially crafted content.”
Microsoft's fix is for 32- and 64-bit versions of PowerPoint 2007, 2010 and 2013. This month's 'Patch Tuesday' saw the company release an unusually high number of security bulletins … eight in total fixing three zero-day vulnerabilities at the same time.