The Microsoft Office Vulnerabilities Treadmill

[Symantec]

The Microsoft Office Vulnerabilities Treadmill
<p>This year will probably go down in history as the year of Microsoft Office vulnerabilities. Never before have we seen such a high level of activity around the discovery and exploitation of vulnerabilities in the Microsoft Office application suite. Ever since the uncovering of a series of vulnerabilities across the range of Microsoft Office applications in early March of this year, we have seen a considerable pickup in activity. We have been receiving a steady stream of new malicious code that uses zero-day exploits for one or more of the applications that make up this suite. Just to reinforce this point, on September 27, 2006, we received samples of new malware that uses yet another Microsoft PowerPoint zero-day vulnerability. We have added detection for this new Trojan as <a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-092715-1534-99">Trojan.PPDropper.F</a>.</p>

<p>“Why the sudden interest in Office applications?” some might ask. Well, up until earlier this year, the bulk of Microsoft’s attention has been devoted to patching its operating systems, browsers, and various components associated with them. To most attackers, browsers and operating systems would represent the first targets to attack, but it may not be lost on them that Microsoft has been improving its ability to turn around patches for Windows and Internet Explorer. In Symantec’s latest <a href="http://www.symantec.com/specprog/threatreport/ent-whitepaper_symantec_internet_security_threat_repor t_x_09_2006.en-us.pdf"><em>Internet Security Threat Report</em> </a>the idea of a window of exposure (WOE) was discussed. Window of exposure is the time between the announcement of a vulnerability and a vendor supplied patch, minus the number of days before the appearance of an exploit, which has decreased quite considerably over the past 12 months.</p>

<p>What are the implications of this for malcode developers? In order for malcode authors to prolong the shelf life of their creations, they must look to adopt new strategies and avenues of attack, beyond standard operating systems and browsers. One strategy that has already been discussed before is the timing of exploit code release. By carefully aligning the release of the exploit closely with Microsoft’s monthly security patch release cycle, malcode authors can maximize the life span of their exploit. The ubiquitous Microsoft Office applications also offer another route because they have a huge user base and are now shown to be vulnerable. In particular, the file format of the applications has turned out to be a veritable gold mine of new vulnerabilities that have been neglected for many years. It is interesting to note that the current Office application suite has been around since 2003, but two-thirds of the Microsoft Security Bulletins concerning Office 2003 applications were released this year. We are also seeing more zero-day vulnerabilities for older Microsoft Office applications too, such as the Word 2000 vulnerability, which was discovered in early September. It goes to show just how much attention is now being focused on Microsoft Office applications as alternative channels of attack. Of course, things have also become easier for the attackers, due to the proliferation and use of file fuzzing tools. Fuzzing tools make the job of searching for Microsoft Office vulnerabilities relatively quick and easy. For example, an attacker can use these tools to automate the process of creating every imaginable combination of data in a Word document, then open it with Word, and wait to see if it causes Word to crash. If it does, then the attacker may have something that can potentially lead to a new exploitable vulnerability. This treadmill is now in motion and the finger is now planted squarely on the “speed up” button.</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/09/the_microsoft_office_vulnerabi.html
http://www.symantec.com/enterprise/security_response/weblog/2006/09/the_microsoft_office_vulnerabi.html
Thu, 28 Sep 2006 10:15:00 -0800