Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

powerpoint pptx files


  • Please log in to reply
13 replies to this topic

#1 rp88

rp88

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 27 October 2014 - 02:28 PM

Is there something masty going on with powerpoint pptx files at present, some exploit in the wild or something. I downloaded some today, which should have been clean, then scanned them with avg as i do with EVERY file i download and it claimed to find a trojan horse sitting in each of them. I also let AVG scan some older .pptx powerpoint slide show files on my machine and although i know they should have been clean it gave detections on those ones too. Is there some reason for this, has something happened recently that makes all pptx files suspect? is it a false positive? or is it likely a trojan has got itself into all my powerpoint files, without touching anything else or showing up on MBAM scans? I don't think i have that sort of infection so i'm guessing it's one of the first two options. In each powerpoint scanned AVG especially highlighted a particular element contained within the powerpoint, this little thing it pointed at and mentioned in it's detection summary under "view details" was "could be a trojan horse exploit .CVE-2014-4114" and mentions of a "file" called "name_of_my_powerpoint_file.pptx:\ppt\slides\_rels\slide(various numbers given here for different powerpoint files).xml.rels ". I didn't open the files but haven't deleted them either. Has anyone else found these things in pptx files recently, or heard of attack methods involving them?

(i didn't put this thread in "am i infected" because i don't think i am infected, i think this is something to do with the file type and it's either false positives or something that makes all pptx documents questionable.)

Extra info: it only finds pptx files, ppt (thew older type of powerpoint) format is ignored and treated as safe according to the scanner. It doesn't find them during full system scans either, because avg is set to only scan "infectable file types" during full system scans, but will scan anything and everything when a folder or file is selected and rightclicked to scan.

Edited by rp88, 27 October 2014 - 03:00 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 27 October 2014 - 04:23 PM

Yes, there is a new vulnerability in OLE: https://technet.microsoft.com/en-us/library/security/3010060.aspx

This can be exploited via pptx files, that's one of the vectors.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 rp88

rp88
  • Topic Starter

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 27 October 2014 - 08:04 PM

Are publisher, word, excel and the other major microsoft office file types also affected then? It mentions them but doesn't say either way absolutely whether they are also currently "compromised formats". I assume this fixit thing wil be in the next round of windows updates and marked as a critical security one?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:50 AM

Posted 27 October 2014 - 09:53 PM

From the link provided by Didier Stevens

...
At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.

MSFixit.pngMicrosoft Fix it solution...OLE packager Shim Workaround
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 28 October 2014 - 02:19 AM

Are publisher, word, excel and the other major microsoft office file types also affected then? It mentions them but doesn't say either way absolutely whether they are also currently "compromised formats". I assume this fixit thing wil be in the next round of windows updates and marked as a critical security one?


Yes, I know how the vulnerability works, they can also be exploited. But for the moment we see samples for pptx.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 rp88

rp88
  • Topic Starter

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 07 November 2014 - 06:37 PM

What is the situaton with this now? Has an update to protect against these pptx (or if it's reached a worse state docx,xlsx and pub based attacks) file based attacks been rolled out yet? Does the vulnerability still exist? AVG stopped reporting all pptx files as being trojans a few days after this, but i've been very cautious about opening any, including those that i downloaded first many months ago, since i heard about this vulnerability.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:50 AM

Posted 07 November 2014 - 07:19 PM

Vulnerability in Microsoft OLE Published: October 21, 2014 | Updated: October 30, 2014


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 08 November 2014 - 08:26 AM

Next Tuesday is the second Tuesday of the month. Microsoft releases security patches on the second Tuesday of the month.

 

I expect a patch for this vulnerability to be released on Tuesday.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 rp88

rp88
  • Topic Starter

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 08 November 2014 - 09:54 AM

Not long to wait then. Thanks.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 12 November 2014 - 01:12 PM

The vulnerability is patched with MS14-064

 

https://technet.microsoft.com/library/security/ms14-064


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 rp88

rp88
  • Topic Starter

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 12 November 2014 - 02:34 PM

I use windows 8 64 bit, i never saw KB301143 amongst the updates today. Was it in another one?
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:50 AM

Posted 12 November 2014 - 03:39 PM

In the link provided by Didier Stevens

Microsoft Security Bulletin MS14-064 - Critical
Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)


And here...Microsoft Security Bulletin Summary for November 2014
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:50 PM

Posted 12 November 2014 - 03:41 PM

If you look under Affected Software in the link I posted, you'll find:

 

 

Windows 8.1 for x64-based Systems
(3006226)

Windows 8.1 for x64-based Systems
(3010788)

 

I have these in my updates for my Windows 8.1 x64 machine.

 

Do you?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 rp88

rp88
  • Topic Starter

  • Members
  • 3,048 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 PM

Posted 12 November 2014 - 06:06 PM

I have 8.0 not 8.1 . these are the updates i downloaded and installed today, 3 others were offered but they were classed as "update for" rather than "security update for"(one of them was for the customer experience program, one had something to do with supporting new camera specific image file formats, one was something to fix some small non-security related issues, i will likely install these three within a few days). I think the ones for the critical issues are included in here, but from what i hear there is another yet to come i guess it will be next tuesday.

KB2889828

KB2899521

KB2687275

KB3005607

KB2976536

KB3006226

KB3002885

KB2978121

KB3008627

KB3003743

KB2992611

KB2589386

KB2878251

KB2889935

KB890830

KB3010788

KB2837602

KB2993958

KB2978127

KB3004150

KB3003057
were the ones i have installed today

Edited by rp88, 12 November 2014 - 06:07 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users