Microsoft to plug PowerPoint hole

Fix for zero-day flaw in PowerPoint that is being exploited in cyberattacks is slated to be released next month.

By Joris Evers
Staff Writer, CNET News.com

Published: July 17, 2006, 4:55 PM PDT

Microsoft is readying a fix for a zero-day flaw in PowerPoint that is being exploited in targeted cyberattacks, the company said Monday.

A patch is being completed and is scheduled to be released on Aug. 8, Microsoft's next "Patch Tuesday," the company said in a security advisory. The fix may be released sooner, if that is warranted, Microsoft said.

Word of the new PowerPoint flaw came last week, only a day after Microsoft released seven security bulletins with fixes for 18 flaws on its July patch day. The new PowerPoint problem could enable an attacker to gain complete control over a vulnerable PC, if a malicious file is opened by its user.

"In order for this attack to be carried out, a user must first open a malicious PowerPoint document attached to an e-mail or otherwise provided to them by an attacker," Microsoft said in its advisory.

The vulnerability affects PowerPoint 2000, PowerPoint 2002 and PowerPoint 2003. Attacks that exploit the flaw in the presentation application are "limited," Microsoft said. Typically, they have to be widespread for the company to issue a patch outside of its monthly schedule.

Some security experts believe the timing of an attack to follow right after a monthly patch day is no coincidence. Microsoft typically does not release fixes outside of its monthly patching cycle for such flaws, giving miscreants at least a month to try to profit from them.