3 Responses to “PowerPoint Version of (just patched) Office Zero-Day Spotted”

1. Chris Mosby at myITforum.com : McAfee Avert Labs Blog - PowerPoint Version of (just patched) Office Zero-Day Spotted Says:
   February 14th, 2007 at 6:33 am

   […] Trackback […]

2. Vesselin Bontchev Says:
   November 17th, 2007 at 10:07 am

   There is something of a mystery here… MS07-015 clams to patch CVE-2007-0671 and CVE-2006-3877 - not CVE-2007-0913. At the same time, the malware that Symantec calls “Trojan.PPDropper.G” (and which McAfee’s scanner calls “Exploit-PPT.g”) most definitely does *not* contain CVE-2006-3877. So, CVE-2006-3877 and CVE-2007-0913 are not one and the same thing.

   The only explanation is that MS07-015 has patched more than the two vulnerabilities it claims to have patched. Unfortunately, this still leaves unclear what exactly CVE-2007-0913 is. (I have a good understanding of what CVE-2007-0671 and CVE-2006-3877 are.) Microsoft’s claim that “it is related to CVE-2007-0671″ should be taken with a pinch of salt. Trust me, I *know* what kind of corruption CVE-2007-0671 uses in Excel files and that kind of corruption is most definitely *not* present in the equivalent PowerPoint records in the sample that is supposed to contain CVE-2007-0913.

   As a side note, I’ve seen at least 8 other samples in Symantec’s monthly collections, all of them - PowerPoint files 1,933,824 bytes long (like the original), all of them having a very similar structure (and probably all of them containing CVE-2007-0913) but none of them detected by McAfee’s scanner.

3. Vesselin Bontchev Says:
   December 17th, 2007 at 11:20 pm

   OK, Peter Ferrie from Symantec figured out what CVE-2007-0913 is. Yep, it’s different from CVE-2006-3877 and CVE-2007-0671 (as I expected, Microsoft’s information is crap) and it was fixed by MS07-015. The other samples I mentioned indeed contain this exploit.

Leave a Reply