Microsoft Accused Of Not Sharing PowerPoint Exploit Info

out-of-cycle to patch a critical bug

Both McAfee Inc. and Symantec Corp. warned of a new unpatched vulnerability in PowerPoint, the presentation maker included with the Microsoft Office application suite. In an alert issued Wednesday to customers of its DeepSight threat system, Symantec said that the exploit -- a Trojan horse it dubbed "PPDropper.f" -- is being used to remotely exploit the bug. An attack, added Symantec's warning, "can result in arbitrary code execution on the victim computer."

Craig Schmugar, a virus researcher with McAfee's Avert Labs, first reported the vulnerability and exploit mid-day Tuesday in an entry on the research team's blog.

In an interview Wednesday, Schmugar said that PowerPoint 2002 (the version included with Office XP) and PowerPoint 2003 are vulnerable. "The vulnerability lets attacks introduce whatever code they want" into the compromised machine.

McAfee's detected two separate threats, although just one exploit. "They're the same exploit, but in two different packages," said Schmugar. An attack adds a backdoor Trojan to the victimized PC that then sends a report of its success to one of multiple remote servers. "The servers aren't responding as of now."

PowerPoint, which like other Office applications such as Word and Excel, has been patched this summer against active exploits, has been attacked by a malicious PowerPoint-formatted document sent to a limited number of users. Symantec said the document, named "FinalPresentationF05.ppt" or "2006-Jane.ppt," triggers the bug, launches the exploit, and loads the backdoor.

More important than the vulnerability itself and the ongoing attack, said Schmugar, is evidence that Microsoft knew of the problem but decided not to share the information with other security researchers.

"Microsoft anti-virus engine is detecting both threats," said Schmugar. Definition updates dated Sept. 23 detect the two as Controlppt.w and Controlppt.x, although the limited information in the Malicious Software Encyclopedia shows dates of Sept. 26 for both. "That was a bit surprising. It's the first time I know of where Microsoft has a zero-day but detects it," said Schmugar. "This is the same vendor whose product is vulnerable that's detecting the threat. Microsoft's given out no public information, no advisory, no blog. When companies like Symantec report a vulnerability, you'll see something on the Microsoft blog.

"It's entirely possible that the [Microsoft] AV organization didn't know what they had or didn't communicate it with the rest of the company," Schmugar said. "But it's possible that the Microsoft security side didn't miss it, that Microsoft is just hoping that [the vulnerability] wasn't known before a patch is out."

Schmugar said he reported both the vulnerability and the active exploit to Microsoft, and received the standard reply. "They said, 'we're looking at it, we're aware of it, that's all," said Schmugar.

A McAfee exec was more than irked at Microsoft, and essentially called out the Redmond, Wash. developer. "Not only has Microsoft just released an out-of-cycle patch for a recent VML vulnerability, it is currently trying to convince consumers and businesses that it's a credible provider of security software," said Siobhan MacDermott, McAfee's vice president of corporate communications, in an e-mail to TechWeb. "It's like closing the stable door after the horse already bolted. Too little, too late."

Later Wednesday, Microsoft issued a security advisory that acknowledged the PowerPoint bug, which affects not only PowerPoint 2002 and 2003, but also the 2000 version in Windows and two Mac editions, PowerPoint 2004 for Mac and PowerPoint v. X for Mac.

In an e-mail to TechWeb, a Microsoft spokesman said that the company's security team and anti-virus research group have worked closely together on the problem. "While the anti-malware team added detection for the specific malicious software to help determine spread, the MSRC [Microsoft Security Response Center] continued its investigation of the vulnerability itself," said the spokesman. "This is important to note because malicious software can use a variety of vulnerabilities, and vulnerabilities are not tied specifically to malicious software.

"Detection for the specific zero-day vulnerability was not added, only detection for the malicious software to help determine impact and spread."

Microsoft and its security partners -- now rivals -- have tussled publicly since the former entered the security market earlier this year. Some competitors have accused Microsoft of predatory pricing practices while others, such as Symantec, have issued research papers taking Vista's security to task.