MS Office Flaws Ideal Tools for Targeted Attacks
Whenever Microsoft issues updates to fix critical security holes in its Microsoft Office products, I think it's helpful to remind Security Fix readers about the importance of updating those products, in part because many users of older Office versions (Office 2000 and 97) may not realize they must visit Office Update -- not Microsoft Update -- to obtain their fixes.
I mention this because Office flaws can be a very powerful yet easily overlooked avenue for viruses, worms and Trojan horse programs. That's because while most businesses now block executable programs as e-mail attachments (as they should), for business reasons very few will nix Microsoft Word documents, PowerPoint slides or Excel spreadsheets that arrive as attachments via e-mail.
Several years ago -- eons ago in Internet time -- some of the most effective viruses were "macro" viruses that typically appended themselves to Microsoft Word documents. With the rise of e-mail and network-based worms, these types of attacks lost their cachet among virus writers, giving way to far more complex and evasive online threats.
But that doesn't mean the bad guys have given up on Office's design weaknesses. The folks over at Secure Science Corp. last week intercepted a mass e-mail attack sent to various U.S. military addresses that took advantage of a recently patched Office flaw to embed a password-stealing Trojan horse program in a PowerPoint presentation.
The real danger is that many people know to look with the utmost suspicion on file attachments that carry ".pif" or ".exe" files extensions (actually, judging the safety of files by their extensions is a losing battle because in many cases those can be misleading or irrelevant from a security standpoint), but those same users will happily open a Word document or Excel spreadsheet without even thinking twice about scanning it first with an anti-virus tool.
Of course, for a growing number of e-mail-bourne viruses -- particularly attacks that are targeted at a specific group or institution -- anti-virus scans may be ineffective, at least during the initial few days of the attack. I ran the file attachment sent to these military folks against 24 different scanners used by VirusTotal.com, and only seven of them flagged the file as suspicious, while just two had a name for the bugger: "Trojan.PPT.A" (there is no writeup yet but I'm sure that's just a matter of hours or days). To see which tools rose to the top on this occasion, check out the screenshot I took (click the image at right).
What's more, I found this little morsel in the Microsoft advisory that I somehow overlooked when I wrote about this flaw last month: "This vulnerability could be exploited automatically when using Office 2000. Office 2000 does not prompt the user to Open, Save, or Cancel before opening a document." Yikes.
For anyone who is curious, the following was the text of the e-mail message in question: "Dear sir: In the next week, we will still proceed the NAVAL operation practice. We know you are very busy. But the practice plan is revised much. Please check the revised plan, and if you are agreed with it please respond to us as quickly as possible!!! We are so sorry! Thanks and best wishes to you!" The letter is signed by a "Lieutenant George Chamberlaen."
Pretty lame, huh? Nobody would fall for that cheesy e-mail, right? Well, Secure Science managed to locate the "dead drop" used by this attack (dead drops are basically databases set up to receive all of the username and password data stolen by Trojan horse programs). Consider this:They found 2,301 sets of online login credentials belonging to U.S. military personnel, potentially allowing access to various Department of Defense "service portals" such as MarineNet.mil and AKO (Army Knowledge Online).
The scammers' database also held other login informaiton from victims, including user names and passwords for 221 Bank of America accounts, 5,524 Gmail accounts, and 1,842 sets of Hotmail credentials, just to name a few.
The takeaway here should be that targeted attacks like these are becoming much, much more common. If you're a Windows user and have delayed installing patches recently, take care of that by visiting Microsoft Update. If you're running Office 2003 or Office XP, Microsoft Update or Automatic Updates should detect and install any missing patches for Windows as well as Office. If you're running Office 2000 or older, you'll need to visit Office Update. And, installing Office patches usually requires you to insert the Office installation disc, so you'll want to have that handy.
One final, side note. If you took my advice last week and are now running Internet Explorer under a non-administrator account or via the Microsoft "drop my rights" program, you will need to run IE as the all-powerful "administrator" account to install patches via Microsoft Update. If you've deleted the old IE icon off your desktop, you can get to the original file by opening Windows Explorer, navigating to "C:\Program Files\Internet Explorer" and clicking on "iexplore.exe".
Update, 12:53 p.m. ET: Turns out Office Update does not support Office 97. Those users can still download updates from this link here, but it's a far more tedious process. What's more, Microsoft stopped issuing security fixes for this product a while back: The last security update listed for Office 97 was released in Oct. 1999.
Posted by: MD | April 25, 2006 8:39 AM | Report abuse
Posted by: Rich Wallick | April 25, 2006 9:32 AM | Report abuse
Posted by: Alan Roth | April 25, 2006 10:53 AM | Report abuse
Posted by: Bob Trallis | April 25, 2006 12:08 PM | Report abuse
Posted by: Mark C | April 25, 2006 1:45 PM | Report abuse
Posted by: dbm1rxb | April 25, 2006 3:04 PM | Report abuse
Posted by: John | April 26, 2006 1:32 AM | Report abuse
Posted by: smile | April 27, 2006 3:42 AM | Report abuse
Posted by: Alex | May 22, 2006 5:31 AM | Report abuse
The comments to this entry are closed.