An exploit in Microsoft PowerPoint was targeted in a zero-day attack by malware writers following last week's monthly security update.
A hacked PowerPoint file, circulated as an e-mail attachment, exploits the client-side vulnerability by elevating privileges and installing a dropper that can create a backdoor.
The vulnerability is the third exploit found in the last five months and is yet to be patched.
Trend Micro Australia premium services manager Adam Biviano said malware is often released after Microsoft's 'patch Tuesday' to give the applications maximum exposure prior to detection.
"It is well known that Microsoft issues its patches on the second Tuesday of each month, and that out-of-cycle patches are only processed and released in very extreme cases," Biviano said. "With this knowledge, malware writers keep their exploits secret until after the monthly update, [therefore] their attack can remain active for up to a full month which increases their odds for success."
Biviano said zero-day attacks are silent, using vulnerabilities to create backdoors for botnet infection.
"Instead of causing the mass virus pandemic which people associate with the zero-day attack, rootkits applied through this mechanism could lay dormant on a machine for months before being activated," he said.
"The vulnerability opens the door, the rootkit would conceal the presence, and a bot agent could be carrying out malicious tasks." He said users should exercise simple, 'tried-and-true' policies to minimize risk.
"Do not open PowerPoint files attached to any e-mails from [senders] you don't know;, consider blocking all incoming Word, PowerPoint, and Excel files from external, unverified sources for companies, and ensure your antivirus definitions are up-to-date."
"The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the August security updates on August 8, 2006, or sooner as warranted."
Microsoft Australia said customers who believe they have been attacked should contact law enforcement.