Microsoft writes it has become aware of a new zero-day security hole that affects all supported releases of Windows (except Windows Server 2003). The vulnerability is exploited by attackers through PowerPoint and allows remote code execution.
The software giant has uploaded a workaround fix that can be applied until the security flaw is resolved.
Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.
At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.