This year will probably go down in historyas the year of Microsoft Office vulnerabilities. Never before have weseen such a high level of activity around the discovery andexploitation of vulnerabilities in the Microsoft Office applicationsuite. Ever since the uncovering of a series of vulnerabilities acrossthe range of Microsoft Office applications in early March of this year,we have seen a considerable pickup in activity. We have been receivinga steady stream of new malicious code that uses zero-day exploits forone or more of the applications that make up this suite. Just toreinforce this point, on September 27, 2006, we received samples of newmalware that uses yet another Microsoft PowerPoint zero-dayvulnerability. We have added detection for this new Trojan as Trojan.PPDropper.F.
“Why the sudden interest in Office applications?” some might ask.Well, up until earlier this year, the bulk of Microsoft’s attention hasbeen devoted to patching its operating systems, browsers, and variouscomponents associated with them. To most attackers, browsers andoperating systems would represent the first targets to attack, but itmay not be lost on them that Microsoft has been improving its abilityto turn around patches for Windows and Internet Explorer. In Symantec’slatest Internet Security Threat Report theidea of a window of exposure (WOE) was discussed. Window of exposure isthe time between the announcement of a vulnerability and a vendorsupplied patch, minus the number of days before the appearance of anexploit, which has decreased quite considerably over the past 12 months.
What are the implications of this for malcode developers? In orderfor malcode authors to prolong the shelf life of their creations, theymust look to adopt new strategies and avenues of attack, beyondstandard operating systems and browsers. One strategy that has alreadybeen discussed before is the timing of exploit code release. Bycarefully aligning the release of the exploit closely with Microsoft’smonthly security patch release cycle, malcode authors can maximize thelife span of their exploit. The ubiquitous Microsoft Officeapplications also offer another route because they have a huge userbase and are now shown to be vulnerable. In particular, the file formatof the applications has turned out to be a veritable gold mine of newvulnerabilities that have been neglected for many years. It isinteresting to note that the current Office application suite has beenaround since 2003, but two-thirds of the Microsoft Security Bulletinsconcerning Office 2003 applications were released this year. We arealso seeing more zero-day vulnerabilities for older Microsoft Officeapplications too, such as the Word 2000 vulnerability, which wasdiscovered in early September. It goes to show just how much attentionis now being focused on Microsoft Office applications as alternativechannels of attack. Of course, things have also become easier for theattackers, due to the proliferation and use of file fuzzing tools.Fuzzing tools make the job of searching for Microsoft Officevulnerabilities relatively quick and easy. For example, an attacker canuse these tools to automate the process of creating every imaginablecombination of data in a Word document, then open it with Word, andwait to see if it causes Word to crash. If it does, then the attackermay have something that can potentially lead to a new exploitablevulnerability. This treadmill is now in motion and the finger is nowplanted squarely on the “speed up” button.