Hackers are exploiting a security flaw in Microsoft Office by using PowerPoint to attack Windows users and gain control of computer systems.
Microsoft, in a security advisory on its website, says there have been “limited, targeted attacks” against users through Microsoft PowerPoint. An attacker who successfully exploits the security flaw could gain complete control of the system. With that sort of control, hackers could execute code remotely, alter or delete data and install harmful programs, like malware.
The hack affects all supported releases of Microsoft Windows (with the exception of Windows Server 2003), and it’s executed when a computer opens a specially crafted Microsoft Office file that contains a malicious version of what’s called an OLE (or object linking and embedding) object. An OLE object, in this sense, is data that’s embedded in a different file, like an Excel spreadsheet in a Word document, for example.
the attack requires user interaction
the attack requires user interaction, so you would have to consent to open the file containing an infected OLE object. So if you tried to download a PowerPoint file from the web, a display prompt would ask for download permission. Consent prompts are fairly common, however, so users might not even realize they’re granting permission to an infected file. As for now, Microsoft suggests users avoid opening any PowerPoint files from an untrusted source.
Microsoft says all Office file types could potentially contain malicious OLE objects, so it isn’t necessarily a vulnerability specific to PowerPoint. The company declined to elaborate on the threat, but a spokesman pointed to a blog post it released on the subject.
For now, Microsoft continues to investigate the security flaw. Depending on what the company finds, that could lead to a security patch built into the monthly release update or even an emergency security update.
In the meantime, Microsoft outlines suggestions and workarounds for users worried about the security hole, including a downloadable tool to help protect Windows users.