Network News

X My Profile
View More Activity

MS Office Flaws Ideal Tools for Targeted Attacks

Whenever Microsoft issues updates to fix critical security holes in its Microsoft Office products, I think it's helpful to remind Security Fix readers about the importance of updating those products, in part because many users of older Office versions (Office 2000 and 97) may not realize they must visit Office Update -- not Microsoft Update -- to obtain their fixes.

I mention this because Office flaws can be a very powerful yet easily overlooked avenue for viruses, worms and Trojan horse programs. That's because while most businesses now block executable programs as e-mail attachments (as they should), for business reasons very few will nix Microsoft Word documents, PowerPoint slides or Excel spreadsheets that arrive as attachments via e-mail.

Several years ago -- eons ago in Internet time -- some of the most effective viruses were "macro" viruses that typically appended themselves to Microsoft Word documents. With the rise of e-mail and network-based worms, these types of attacks lost their cachet among virus writers, giving way to far more complex and evasive online threats.

But that doesn't mean the bad guys have given up on Office's design weaknesses. The folks over at Secure Science Corp. last week intercepted a mass e-mail attack sent to various U.S. military addresses that took advantage of a recently patched Office flaw to embed a password-stealing Trojan horse program in a PowerPoint presentation.

The real danger is that many people know to look with the utmost suspicion on file attachments that carry ".pif" or ".exe" files extensions (actually, judging the safety of files by their extensions is a losing battle because in many cases those can be misleading or irrelevant from a security standpoint), but those same users will happily open a Word document or Excel spreadsheet without even thinking twice about scanning it first with an anti-virus tool.


Of course, for a growing number of e-mail-bourne viruses -- particularly attacks that are targeted at a specific group or institution -- anti-virus scans may be ineffective, at least during the initial few days of the attack. I ran the file attachment sent to these military folks against 24 different scanners used by VirusTotal.com, and only seven of them flagged the file as suspicious, while just two had a name for the bugger: "Trojan.PPT.A" (there is no writeup yet but I'm sure that's just a matter of hours or days). To see which tools rose to the top on this occasion, check out the screenshot I took (click the image at right).

What's more, I found this little morsel in the Microsoft advisory that I somehow overlooked when I wrote about this flaw last month: "This vulnerability could be exploited automatically when using Office 2000. Office 2000 does not prompt the user to Open, Save, or Cancel before opening a document." Yikes.

For anyone who is curious, the following was the text of the e-mail message in question: "Dear sir: In the next week, we will still proceed the NAVAL operation practice. We know you are very busy. But the practice plan is revised much. Please check the revised plan, and if you are agreed with it please respond to us as quickly as possible!!! We are so sorry! Thanks and best wishes to you!" The letter is signed by a "Lieutenant George Chamberlaen."

Pretty lame, huh? Nobody would fall for that cheesy e-mail, right? Well, Secure Science managed to locate the "dead drop" used by this attack (dead drops are basically databases set up to receive all of the username and password data stolen by Trojan horse programs). Consider this:They found 2,301 sets of online login credentials belonging to U.S. military personnel, potentially allowing access to various Department of Defense "service portals" such as MarineNet.mil and AKO (Army Knowledge Online).

The scammers' database also held other login informaiton from victims, including user names and passwords for 221 Bank of America accounts, 5,524 Gmail accounts, and 1,842 sets of Hotmail credentials, just to name a few.

The takeaway here should be that targeted attacks like these are becoming much, much more common. If you're a Windows user and have delayed installing patches recently, take care of that by visiting Microsoft Update. If you're running Office 2003 or Office XP, Microsoft Update or Automatic Updates should detect and install any missing patches for Windows as well as Office. If you're running Office 2000 or older, you'll need to visit Office Update. And, installing Office patches usually requires you to insert the Office installation disc, so you'll want to have that handy.

One final, side note. If you took my advice last week and are now running Internet Explorer under a non-administrator account or via the Microsoft "drop my rights" program, you will need to run IE as the all-powerful "administrator" account to install patches via Microsoft Update. If you've deleted the old IE icon off your desktop, you can get to the original file by opening Windows Explorer, navigating to "C:\Program Files\Internet Explorer" and clicking on "iexplore.exe".

Update, 12:53 p.m. ET: Turns out Office Update does not support Office 97. Those users can still download updates from this link here, but it's a far more tedious process. What's more, Microsoft stopped issuing security fixes for this product a while back: The last security update listed for Office 97 was released in Oct. 1999.

By Brian Krebs  |  April 25, 2006; 7:00 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: More Mac OS X Flaws Identified
Next: MS Expands Anti-Piracy Program, Reissues Patch

Comments

Why do people who write virus emails use so many exclamation points? It seems to be the biggest tip off. I don't think many Lt. Generals would sign a sentence with two or three!!!

Posted by: MD | April 25, 2006 8:39 AM | Report abuse

There a major problem with updating office. When I try to update office I am unsuccessful because microsoft demands I install my office disk. I have three completely full large cd cases that are not very organized -- I am not willing to spend the time to dig out my disc every time microsoft needs to fix software, design, and architectural bugs.

My solution was to switch to OpenOffice and just use office when I have no choice.

Posted by: Rich Wallick | April 25, 2006 9:32 AM | Report abuse

I run Office XP and recently downloaded the latest updates for Office. They crashed Office (you couldn't open files). Not knowing why, I restored the system and then saw it crash again when the update automatically reinstalled itself. Eventually, I called MS and they said this happens if you have an HP printer. There must be millions of us! If this happens to you, call MS and they'll give you a free fix.

Posted by: Alan Roth | April 25, 2006 10:53 AM | Report abuse

Office Update doesn;t work for my Office 97. So I'm pretty sure it's for 2000 on.

Posted by: Bob Trallis | April 25, 2006 12:08 PM | Report abuse

To install Office updates without the Office disk, you need to download the 'network install' version of the update. Just make a note of the Knowledge Base number for the update and use Microsoft's search to get the page or click on the 'more info' link when viewing the individual updates.

Posted by: Mark C | April 25, 2006 1:45 PM | Report abuse

Brian,
I installed Windows XP several years after installing office 2003 on W2000. The automatic update NEVER gives me the office updates. I have to manually go to the site and look for them. The Windows XP auto updates work fine. My portable had factory installed WXP and Office 2003 and auto update does give me all the updates for both sets of software.
Also, I too am always prompted for the office 2003 install disk, but after replying yes to the question if I have the disk available, it never has been called for by the update.

Posted by: dbm1rxb | April 25, 2006 3:04 PM | Report abuse

All classified material in the military and intelligence community is on a separate network, which is not connected to the Internet, and which you access through a seperate computer that has no floppy drive, no CD-Rom drive and in most cases you have to fight to get USB access, and at the end of the day all the hard drives are removed and locked up.

So if someone does manage to gain access to a military portal on the Internet all they managed to do is create some headaches, you cannot compromise national security from the Internet. I think most folks do not know this, and equate any military site as containing classified information.

Posted by: John | April 26, 2006 1:32 AM | Report abuse

computer's security is very improtant, to find a security tool, i use Webcam Zone Trigger, Because of its user-friendly, object-oriented interface, Zone Trigger is hands-down the easiest motion detection software to use. Created by Omega Unfold, Zone Trigger takes live video from any webcam, DV camcorder or analog video input device.

http://www.yaodownload.com/video-design/videorecorders/webcam-zone-trigger_videorecorders.htm

Posted by: smile | April 27, 2006 3:42 AM | Report abuse

John, is that to prevent the rise of SkyNet? :)

Posted by: Alex | May 22, 2006 5:31 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company