Inside the PowerPoint mega-patch

By Eric Schultze

Microsoft patched all Windows versions of PowerPoint today — addressing both a zero-day flaw [microsoft.com] and 13 other privately reported security vulnerabilities.   The zero-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website.  The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user.  (If the user was logged on as an administrator, the evil code could execute as admin.  If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft patched all Windows versions of PowerPoint today — addressing both a zero-day flaw [microsoft.com] and 13 other privately reported security vulnerabilities.   The zero-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website.  The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user.  (If the user was logged on as an administrator, the evil code could execute as admin.  If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft has NOT released a patch at this time for PowerPoint on Mac.  They said they weren’t seeing this flaw being executed against Macs and therefore didn’t want to hold up release of this patch for Windows machines while they finished the Mac patch. The patch for PowerPoint on Mac will be released at a later date.

[ SEE: Microsoft plugs 14 PowerPoint security hole ]

The patches released today include versions of Powerpoint that weren’t flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported.  Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day.  Included in today’s release are patches for the Powerpoint viewer as well as the full version of Powerpoint.

Security patches for items like Powerpoint are considered ‘client-side’ patches because they can only attack a machine once a user has taken an action on their computer.  Typical client-side actions might include opening malicious documents, reading an evil email, or viewing an evil web page.  These types of attacks are usually constrained to systems where a user is interactively working on the desktop.  Systems which don’t have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop.  In most cases, client side exploits only obtain the same level of access on the system as that of the currently logged on user.

[ SEE: Microsoft issues PowerPoint zero-day warning ]

Server-side attacks, on the other hand, don’t require user interaction to exploit vulnerabilities.  Both workstations and servers are susceptible to server-side attacks.  Server-side vulnerabilities leverage flaws in ‘services’ that are running on machines such as web services, file and print services, and networking services (such as TCP/IP or NetBIOS).  Because these services are constantly running and are exposed externally on the system, no user interaction is required to interact with these services.  This means the exploit can propagate from machine to machine very quickly.  SQL Slammer, Nimda, Code Red, and Conficker are all examples of server-side exploitation.  In many instances, server-side exploitation leads to administrative or ‘system’ level access on the target computer.

Viruses are a great example of a client-side vulnerability.  Because it’s client-side, viruses usually require user interaction in order to spread and are therefoew slower to spread than a Worm.  Worms, on the other hand, are representative of server-side exploitation.  Since a worm doesn’t require user intervention to spread, it can propagate to other systems very rapidly.

Based on these definitions, today’s Powerpoint release addresses a client-side vulnerability.  Its attack vector is dependant upon a user performing an action.  As a result, we won’t see rapid propagation of infected systems through this vector (though once a machine is infected, it could launch other attacks using worm-like server side attack mechanisms such as Conficker).  Best to patch your client-side systems (where users interact with the desktop) for this issue first, then patch any servers where Powerpoint products may be installed.

* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.