Microsoft issued an advisory last week - Microsoft Security Advisory (969136) "Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution" - that "could allow remote code execution if a user opens a specially crafted PowerPoint file."

The advisory uses very similar language to Microsoft's recent advisory on an Excel vulnerability, referring to "only...limited and targeted attacks that attempt to use this vulnerability", and committing only to "take the appropriate action to protect our customers."

Some, like The Register, are already linking the two threats together, and noting that so far, the Excel vulnerability remains unpatched. Out in the wider world, two questions keep recurring:

  • Does Microsoft intend to patch either or both vulnerabilities?
  • Why is it taking them so long when Adobe have already issued patches for several vulnerabilities flagged publicly at around the same time?

Since the quotes above are clearly boilerplate text (that is, a form of words defined in some sort of template document), it's unwise to read too much into them. However, the reference to targeted attacks does give the unfortunate impression that the flaws in question may not be considered high priority because of the limited number of people directly affected. I doubt if this is really the case: it's more likely that this is standard text meant to reassure us that there's no cause for panic.

Still, as I've pointed out here before, the damage caused by targeted malware can, if properly targeted, be immense: if the targeting is accurate and effective, just one may cause more damage (say to a major financial institution, or even to national security) than millions of old-style viruses sent out at random. The Excel advisory hasn't been updated since March 4th: perhaps it wouldn't do any harm if Microsoft was to acknowledge public concern and issue an update, if only to say that the company's developers are still on the case and taking the issue seriously.

As for the Adobe comparison, it's difficult to tell whether it's a fair comparison. A major software company does not usually disclose vulnerabilities as soon as it learns about them, unless its hand is forced by public disclosure elsewhere or knowledge of current, significant live threats. At the very least, it attempts to restrict publication of a flaw until some mitigating action has been defined. Without definite knowledge of the disclosure timeline, or of the exact steps being taken to remedy the problem, it's not fair or useful to try to compare the responses of the two companies. Patch development isn't a five minute job, or shouldn't be, and it's unfair to slag off a company because they're taking the time to do it properly.

Still, I'd suggest that Microsoft consider an update to let concerned customers know that the Excel vulnerability hasn't been forgotten. It would be nice to know where they're going with it and how soon they expect to get there. I'd also suggest that they don't leave their audience hanging so long over the Powerpoint issue.

David Harley
Director of Malware Intelligence