IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft forced to issue quick fix for PowerPoint flaw

Vulnerability affects almost all versions of Windows

A bug in PowerPoint has been discovered that will allow hackers to hijack a victim's PC.

The zero-day vulnerability was outlined in an advisory by the firm, and prompted Microsoft to issue a one-click "Fixit" tool to help users protect their PCs while a patch is developed.

Hackers can take over a PC by sending victim's a message with a malicious Office file containing an OLE (Object Linking and Embedding) file.

By persuading users to open the file, hackers could then gain the same rights as the user, allowing criminals to install malware on the victim's computer.

"Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

"The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed," the advisory stated.

Microsoft added that it is "aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint". The flaw is said to affect all supported versions of Windows including Windows Server 2008 and 2012.

Security experts said hackers are likely to employ phishing techniques to infect victims.

"This is not the first time that a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system," said Mark Sparshott, EMEA director at Proofpoint.

"What makes this vulnerability dangerous is that it affects the latest, fully-patched versions of Windows."

He added that while Microsoft and security vendors rush to close the security hole, "the best form of defence remains using the latest next generation detection technologies such as sandboxing at the email gateway to prevent the emails reaching users in the first place".

"Organisations not yet using advanced detection tools will need to fall back to notifying users and relying on them not to click the links and open files," he added.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Windows 10 users locked out of devices by unskippable Microsoft 365 advert
bugs

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023