by David Stern, CISSP
In the first part of this section, we introduced the need to consider a decision making framework. Now we’ll go through some real world examples to gain a better understanding of the process.
What is the vulnerability?
This question aims at gaining a broad situational awareness of the problem.Â From Secunia advisory 22127:
â€œA vulnerability has been reported in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is due to an unspecified error when processing PowerPoint documents containing a malformed string. This can be exploited to corrupt system memory and may allow execution of arbitrary code when a malicious PowerPoint document is opened.â€
I highlighted the key pieces above. Putting them together, we see that a successful attack will exploit PowerPoint, forcing it to run malicious code on your system. PowerPoint is a very popular application found on large numbers of corporate systems. The ability to execute arbitrary code makes this vulnerability a lot harder to deal with. While it may turn out to be nothing, for now, this vulnerability warrants further investigation.
What does it affect? We know PowerPoint is the target, but with most vulnerabilities, the combination of operating system and application version matter. In this case, the following are affected:
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Powerpoint 2003
As a decision maker for your organization, you should have a general idea if you run one of these.
How is it delivered and how hard is it to deliver?
The vulnerability report states that the exploit involves â€œprocessing PowerPoint documents containing a malformed string.â€ Clearly, PowerPoint must open one of these bad files. If your organization emails around presentations, then the delivery method is clear. The report also states that â€œThis vulnerability is reportedly being exploited in the wild.â€ An active exploit has been crafted is traveling the ether. A good percentage of reported vulnerabilities never evolve into coded exploits, so this added information should also elevate your interest level.
Does my organization use any of the affected systems?
My real world example of Code Red shows the importance of good asset management. The people in your organization responsible for desktop applications should definitively answer this question. If they canâ€™t, this will be a great time to get that in order. Asset management is a critical piece of the risk management process. You certainly cannot manage risk that you donâ€™t know exists.
Do I have any controls in place that would slow down or eliminate the effects of this vulnerability?
Here is where you really need to rise above the FUD. Lets presume that you have a vulnerable version of PowerPoint deployed. Your IT group will need to deploy a patch, but that wonâ€™t happen instantaneously. You know that PowerPoint must open a bad file to be exploited. So all you need to do is keep a bad file from getting into the organization as well as keep the users from opening it up if it does get in.
What do you have in your arsenal that you can use?
If you are a decision maker, then itâ€™s probably not your job to delve into technical nuances here. At a high level, you can initiate at least 3 courses of action. First, check with your anti-virus vendor to determine if they have deployed a signature update that mitigates this issue at the desktop level. Second, check your email controls and see if you can block outsiders from sending PowerPoint files. This measure can be deployed temporarily if it impacts business processes. Once the patch is deployed, you can continue with this practice. Third, craft a company-wide communication that warns users to not open emails with PowerPoints attached.
As you can see, this process is fairly straightforward if you understand the terminology. If the answers to the questions indicated that you did not run PowerPoint, and your IT group validated this fact, then you would have no course of action. If you did run PowerPoint, but there was no exploit in the wild, then perhaps you could have just waited for the patch to be deployed. There are many possible branches on this tree, but by taking a high level, methodical, and FUD-less approach, you become an effective decision maker and an asset to your organization.