Feeds

Patches bring zero-day relief from PDF and PowerPoint flaws

Phew

Top 5 reasons to deploy VMware with Tegile

Microsoft has released a solitary bulletin that covers 14 vulnerabilities in PowerPoint, including a zero-day bug that has been the target of hacker exploitation over recent weeks, as part of its May Patch Tuesday update.

All versions of PowerPoint will need patching with the cumulative update, which earns Redmond's highest security rating of "critical".

Eric Schultze, CTO at patching firm Shavlik Technologies and a former manager at programme manager for the Microsoft Security Response Centre, commented: "The patches released today include versions of Powerpoint that weren't flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported.

"Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day. Included in today's release are patches for the Powerpoint viewer as well as the full version of Powerpoint."

Andrew Storms, Director of Security Operations for nCircle, added that the patch brings relief from zero-day flaws in Microsoft Office software for the first time in nearly two months.

"For the last two months users have been battling Microsoft office zero day attacks. The first set in February were in Microsoft Excel. The second set, announced on April 2nd, made users afraid of opening PowerPoint files," Storms said.

"Forty days from bug to bug fix is a decent turnaround for Microsoft given the vast number of Microsoft Office permutations that need to be quality tested."

The Internet Storm Centre's take on Microsoft patch can be found here. Microsoft's bulletin is here.

Separately Adobe released an update that defends Adobe Reader against another zero-day vulnerability. The flaw in Adobe Reader 9.1 and Acrobat has been the target of hacking attacks since last month and was, if anything, more dangerous than the 0-day PowerPoint flaw.

More details on the fix from Adobe can be found here.

Andrew Clarke, senior vice president at Lumension Security, notes that PDF files alongside Microsoft Office applications have become a leading vector for targeted attacks.

"Popular applications and files like Adobe PDF files or Word, Excel or PowerPoint files have been great vehicles for targeted attacks because those attachments are so socially acceptable and are simply expected attachments within corporate email," Clarke said.

Apart from fixes from Microsoft, Adobe and Apple other vendors including Google, F-Secure,, HP, Symantec and Mozilla have collectively released a slew of patches for popular software applications over recent days. Lumension Security summarises these non-Microsoft patches here. ®

Intelligent flash storage arrays

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.