RETURN ON TECHNOLOGY: Beware the dangers of PowerPoint attachments

August 7, 2006

In a bizarre twist on the term "Power-Point poisoning," some black-hat programmer with way too much time on his hands has created a PowerPoint presentation that, when opened as an attachment to an e-mail, plants a piece of spyware on your system that sends home to the mothership every keystroke and mouse click. Businessfolk in the Midwest need not panic, however, because the offending PowerPoint is easy to spot: it's in Chinese. In the business, this sort of infection is known as a "Trojan horse," because the delivery mechanism isn't dangerous, while the payload is.

Who has time to whip up such a pathetic scheme? Security analysts were on it within 24 hours and alerts were out all over the 'Net shortly after. If this is a bona fide cyberthief, it would seem more cost-effective to just steal laptops and thumb drives than write code that trips alarms all over cyberspace when it appears. And in PowerPoint, no less. How many of us get PowerPoints routinely, even in China? They're usually big and clumsy to send and review, and only rarely does one appear spontaneously in an e-mail inbox. Not the ultimate in stealth "cybercrime."

This isn't the first time that Power-Point has sprung a leak. Microsoft Office products come with "Visual Basic for Applications," which is a language for creating what are called "macros," or short programs that do things automatically. They also provide a back door out of the Office file and into your system. PowerPoint for Windows versions 97, 2000 and 2002 could all host malicious macros that would end-run the Office virus scans. PowerPoint isn't alone in this. Microsoft Excel for Windows, versions 97, 2000 and 2002 had the same problem. Microsoft has been responsive, building in stronger checking in later versions, but many of us still have the older versions, and are vulnerable. Excel and PowerPoint are particularly likely to hurt us because so often we look to Web sites for specialty templates for those two applications, and even "empty" templates can hold these little explosive devices.

You have to love how the capitalist ideal has factored into "malware," too. In late 2005, a vulnerability was discovered in Excel by an anonymous fellow who then tried to cash in by selling the details on ebay. Ebay stopped the auction before it could be completed, but security analysts found the problem soon afterward anyway.

Lest Microsoft Word users become overly complacent, just last May a similar hole in Word was exploited to dump a Trojan on an unsuspecting business community. I say "business community" because these afflictions aren't aimed at the home user, who generally doesn't run software as expensive as Office. Home users have software like Microsoft Works, which is far less useful for business, and which isn't infected as often. No, they're intended for you and me, and are often used to gather intelligence like our logins and codes. That doesn't mean that home users are immune, because they surely aren't. They just aren't prime targets. We are.

Office has proven to be exposed to attack by photograph, too. Just this month, various Office applications were shown to be wide open to assault by GIF and PNG graphics, which are formats commonly used on the 'Net for photographs, drawings and the like. Another commonly used format, JPEG, wasn't implicated, but it's enough that GIF and PNG are. Just importing a bad picture into Word could trigger a Trojan.

Notice that the common thread here is that generally you have to open the Office document to spring the trap on yourself. Most of us don't intentionally infect our photographs or spreadsheets. In most cases, the threat arrives unexpectedly and unannounced, and should be promptly deleted from the inbox.

There is only a remote chance that a colleague may pass around an infected file without knowing it. Even if it happens, up-to-the-minute virus checkers can identify and quarantine most viruses. Microsoft's upgraded macro security works pretty well, too. Set to "high," it will stop macro operation from a downloaded file in its tracks, thereby neutralizing almost all macro malware. But Microsoft's solution is only in Office versions later than 2000, so if you want the security it offers you'll have to upgrade.

You can find the latest security alerts at Symantec (www.symantec.com) or at the U.S. Computer Emergency Readiness Team site (www.us-cert.gov). For Microsoft products, you can check out TechNet at Microsoft (www.microsoft.com). Two prominent antivirus companies are McAfee (www.mcafee.com) and Symantec. Both have extensive suites of products, and downloadable updates. Products like these will make sure that what's in Office stays in the office.

Altom is a senior business consultant for Perficient Consulting. His column appears every other week. He can be reached at timaltom@sbcglobal.net.
Source: XMLAr02800.xml

Recent Articles by Tim Altom

Comments powered by Disqus