[VIM] "new" PowerPoint vuln apparently old

Steven M. Christey coley at mitre.org
Tue Sep 19 17:54:25 EDT 2006

FYI, the new PowerPoint vuln is a dupe according to MS.  This is at
least twice where an AV company has been the first to release an
apparently unknown issue that turned out to be a dupe.  Wonder if this
pattern will continue, where forensics in the first few minutes of a
0-day attack produces more dupes than intended?  In this case though,
since CVE-2006-0009 has been fixed, wouldn't the company have been
able to prove that a patched version was immune?  Unless the original
AV report was the best available information at the time the signature
was released, probably within minutes of receiving the sample.

Name: CVE-2006-4854
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4854
Reference: MISC:http://www.symantec.com/security_response/writeup.jsp?docid=2006-091810-5028-99
Reference: FULLDISC:20060919 New PowerPoint 0-day Trojan in the wild
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049540.html
Reference: MISC:http://blogs.securiteam.com/?author=28
Reference: BID:20059
Reference: URL:http://www.securityfocus.com/bid/20059
Reference: FRSIRT:ADV-2006-3678
Reference: URL:http://www.frsirt.com/english/advisories/2006/3678
Reference: XF:powerpoint-presentation-code-execution(29009)
Reference: URL:http://xforce.iss.net/xforce/xfdb/29009

** REJECT **

Unspecified vulnerability in Microsoft Office 2000 (Chinese Edition)
and Microsoft PowerPoint 2000 (Chinese Edition) allows user-assisted
attackers to execute arbitrary code via a crafted PPT document, as
exploited by malware such as Trojan.PPDropper.E.  NOTE: on 20060919,
Microsoft notified CVE that this is a duplicate of CVE-2006-0009.

More information about the VIM mailing list