Microsoft's Achilles' Heel: Office
The cyber attack last month against a U.S.-based public utility came wrapped in a Microsoft PowerPoint document featuring holiday illustrations and heartwarming reflections. This PowerPoint file, which resembled an innocuous version that was being forwarded around the Web by many sentimental e-mail users, had been modified to include a Trojan horse program designed to open a secret backdoor into the utility's internal computer network.
The company called in to investigate the attack, Verisign's iDefense Labs in Sterling, Va., also found two separate Microsoft Word files on computers inside the company's network that had also been tainted with malicious software code designed to give attackers control over the machines. None of the files were detected as malicious by the anti-virus software used by the company.
Ken Dunham, director of iDefense's rapid response team, said similarities in the computer code of all three malicious programs strongly suggested the handiwork of a Chinese hacking group known to write computer viruses for hire. And in each case, the attackers designed their hidden viruses to take advantage of security holes recently discovered in the Microsoft Office programs.
The attack investigated by iDefense is just one example of one of the biggest problems facing Microsoft: The seemingly endless string of vulnerabilities discovered last year in the software giant's Office software, the productivity suite that includes the widely used Excel, Outlook, PowerPoint and Word programs. Microsoft patched a total of 41 critical vulnerabilities in its various Office products last year, accounting for more than one third of the 104 "critical" flaws the company patched in all of 2006. Microsoft assigns a patch its most dire "critical" rating if the update fixes a vulnerability that bad guys could exploit with little to no action on the part of user, aside from maybe visiting a malicious Web site or viewing a specially crafted e-mail.
To put last year's 41 critical Office patches into perspective, consider that Microsoft shipped a total of 37 critical updates for all of its software products in 2005. None of the patch or vulnerability numbers cited in this story takes into account three still-unpatched vulnerabilities present in Microsoft Word, two of which Microsoft has acknowledged that criminals are actively exploiting.
In at least four cases in 2006, Microsoft rushed to issue patches to fix Office flaws that it first learned about after bad guys already were exploiting them for financial or personal gain.
For its part, nearly each time last year that Microsoft acknowledged attacks on unpatched flaws in its software, the company assured customers that the attacks were "very limited" and "very targeted" in scope. Indeed, at least when it comes to attacks this past year that leveraged unpatched Microsoft Office flaws, the anecdotes from victims have been few and far between, suggesting that the company's assurances are correct. It may also be the case that the victims of such attacks are government agencies or businesses that simply do not want to risk the potential for negative publicity should news of a network security breach attack reach the press.
As with the incident at the utility company documented by iDefense, attacks reported to the SANS Internet Storm Center in Bethesda, Md., often are of the targeted variety, reported by government agencies or contractors who wish to remain anonymous but perhaps also see the value in spreading a word of warning to others.
Johannes Ullrich, chief technology officer for the Storm Center, said he received private reports in 2006 from a defense contracting company that was hit by a targeted virus attack that took advantage of an unpatched PowerPoint flaw. In another case reported to SANS last year, the security of a federal financial regulatory agency was compromised by a Microsoft Word document that took advantage of an unpatched security hole in the software to install computer code designed to let attackers remotely control infected systems.
Ullrich said both attacks arrived in e-mails that appeared as though they were sent from an insider, and included references to co-workers or ongoing projects, suggesting the attackers had fairly detailed knowledge of their targets. And both attacks were based in part on virus variants previously unidentified by security experts.
"These were definitely variants that we hadn't seen anywhere else," Ullrich said.
Microsoft's claims notwithstanding, the company has shifted its advice to customers in determining how to deal with e-mail attachments that could harbor potentially dangerous Office documents. Consider the very first Office security update that Microsoft shipped in 2006: A patch the company pushed out on St. Patrick's Day to correct an Excel bug that an enterprising researcher had tried to sell at an eBay auction in December 2005.
In the "workarounds" and "mitigation" sections of its accompanying security advisory, Microsoft strongly advised customers: "Do not open or save Microsoft Excel files that you receive from un-trusted sources."
Fast forward to October, when Microsoft released the last of its Office security updates for the year. In the accompanying advisories, the company appropriately extended its warning about unsafe attachments to files sent even by people the recipient knows and trusts: "Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources."
Most security experts I interviewed over the past several weeks say they expect to continue to see a large number of Office flaws disclosed and/or exploited throughout 2007, and that older, more vulnerable versions of Office will continue to be a key source of vulnerability for users who upgrade to Microsoft Vista, the new version of Microsoft's Windows operating system.
See Thursday's posting on Microsoft's record for turning around patches in its Internet Explorer Web browser.
January 5, 2007; 6:00 AM ET
Categories: From the Bunker , Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Take Me to Your (Adobe) Reader
Next: Scary Blogspam Automation Tools
Posted by: Patrick Bergin | January 5, 2007 9:02 AM | Report abuse
Posted by: OpenOfficeExploit | January 5, 2007 9:42 AM | Report abuse
Posted by: thw2006 | January 5, 2007 10:33 AM | Report abuse
Posted by: OhioMC | January 5, 2007 11:45 AM | Report abuse
Posted by: Anonymous | January 5, 2007 12:03 PM | Report abuse
Posted by: Bk | January 5, 2007 12:09 PM | Report abuse
Posted by: zridling | January 5, 2007 12:20 PM | Report abuse
Posted by: Anonymous | January 5, 2007 12:22 PM | Report abuse
Posted by: Rich Gibbs | January 5, 2007 1:51 PM | Report abuse
Posted by: JohnJ | January 5, 2007 2:02 PM | Report abuse
Posted by: MikeB | January 5, 2007 2:12 PM | Report abuse
Posted by: JohnJagain | January 5, 2007 2:13 PM | Report abuse
Posted by: don r | January 5, 2007 3:44 PM | Report abuse
Posted by: Bu Pa | January 8, 2007 12:44 AM | Report abuse
Posted by: reggy | January 18, 2007 2:37 PM | Report abuse
The comments to this entry are closed.