See other Science/Tech Articles
Title: Microsoft Office Under Siege
Source:
Microsoft Watch
URL Source: http://www.microsoft-watch.com/arti ... 0.asp?kc=MWRSS02129TX1K0000535
Published: Aug 13, 2006
Author: Ryan Naraine
Post Date: 2006-08-15 08:26:44 by Red Jones
Keywords: None
Views: 273
Comments: 19
Microsoft Office Under Siege August 13, 2006 By Ryan Naraine What started as an amusing eBay listing of an Excel vulnerability for sale has developed into an all-out hacker assault on Microsoft Office applications. Security researchers and malicious hackers have zeroed in on the desktop productivity suite, using specialized "fuzzing" tools to find a wide range of critical vulnerabilities in Word, Excel and PowerPoint file formats. The upsurge in reported Office flaws has put Microsoft on high alert for targeted zero-day attacks that have all the characteristics of characteristics of corporate espionage—highly targeted and using Trojan horse programs to drop keyloggers and data theft malware programs, according to information from anti-virus vendor Symantec. RELATED LINKS Alert Raised for MS Word Zero-Day Attack eBay Pulls Bidding for MS Excel Vulnerability Critical Excel Flaws Remain Unpatched Microsoft Posts Excel 'Zero-Day' Flaw Workarounds Microsoft Confirms Excel Zero-Day Attack Under Way "Our Office team has been hard at work all summer. It's been literally round-the-clock work on updates and responding to issues. It's clear that the [security] research community is focusing on Office and other client-side vulnerabilities. That's a shift we were actually expecting," said Stephen Toulouse, a security program manager for Microsoft's Security Technology Unit, in Redmond, Wash. "As we make the operating system more resilient to attacks, it makes sense that the researchers are moving up to the application layer. It's not just Office under scrutiny. We're seeing the same thing with [Apple Computer's] iTunes and even http://[OpenOffice.org]. There's an upsurge in vulnerabilities all around," Toulouse said. The statistics are telling. In 2005, Microsoft shipped patches for five flaws affecting all versions of Office. In the first eight months of 2006, according to Toulouse, that number skyrocketed to 24. "A lot of this stuff we're finding ourselves. The teams working on Office 2007 are doing the same fuzz testing, and we are actually backporting those fixes in the form of security updates for current versions," he said. Fuzzing, or fuzz testing, is an automated technique used by researchers to find software bugs. Code auditors typically use a fuzzer to send random queries to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash. Read more here about the Excel vulnerability that was listed on eBay. "It seems like Office is the new Internet Explorer," said Marc Maiffret, chief technology officer at eEye Digital Security, of Aliso Viejo, Calif. "A few years ago, the buzz was around IE flaws. Now, researchers are looking for other low-hanging fruit. Last year, it was easy to find a remote attack, but Microsoft spent a lot of time shoring up that attack surface. Now that remote attacks are harder, people are focusing on easier client bugs, and there are no better client programs to target than Office apps." To others, there is the thrill of the challenge. In December 2005, when an anonymous researcher put up an Excel flaw on eBay, the listing included clues about the actual vulnerability. It triggered a race in the research community to duplicate the finding. "[The eBay lister] mentioned the actual memory function that caused the bug, and we put all our guys to work trying to find it," said David Litchfield, managing director at Next Generation Security Software, a security consulting company operating out of the United Kingdom. "When Microsoft issued the patch, the list of researchers credited with reporting that bug was very long. It's clear that everyone had the same idea. Let's pound away on Excel and see if we can figure it out too," explained Litchfield, in Sutton, England. Microsoft's Toulouse acknowledged that the eBay listing appeared to trigger a race to discover file format bugs in Excel and other Office applications, but he said internal software teams also are hammering away at Office, trying to beat attackers to the punch. To Dave Aitel, a vulnerability researcher at Immunity, in Miami, it's somewhat strange that Office applications flew under the radar. "It's really, really easy to find an Office bug. Every time Word or Excel crashes, it's because of some random little bug that could be a security flaw. Everyone has dealt with a Word crash, so this is not a rare thing," Aitel said. Read more here about zero-day attacks against Microsoft Word users. "I'm sure Microsoft will make it harder to crack Office after this year, but, right now, there are bugs everywhere. And it's on every desktop out there, so it's really a big, common target," said Aitel, a high-profile researcher who creates exploits for Immunity's Canvas penetration testing tool. David Goldsmith, president of New York-based security consulting company Matasano Security, believes the upsurge in Office flaw discoveries is a direct result of Microsoft's work to harden the server services that ship with the Windows operating system. "It's part of the natural ebb and flow [of security research]. Once the researchers and attackers started focusing on client-side attacks, we started seeing a lot of IE bugs and IE patches. It's the same with Office," said Goldsmith. "Office is a big, tempting target for researchers with good fuzzers. People are now saying, 'Hey, let's look at Microsoft Office file formats,'" Goldsmith said. Microsoft's Toulouse said the next version of Office will be resilient to the file format bugs that are being found today. "We're already doing code auditing [fuzzing] during the software creation process, and we are applying what we learn to down-level versions. A lot of the patches you are seeing now are the result of our internal work," he explained. "We've had things reported to us that we had already found and were already in the middle of getting the updates ready." Check out http://eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at http://eWEEK.com Security Center Editor Larry Seltzer's Weblog. Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved.
Post Comment Private Reply Ignore Thread
Top • Page Up • Full Thread • Page Down • Bottom/Latest
#1. To: RickyJ, Neil McIver (#0)
Ping FYI I don't really know much about software though I used to build software applications for business that were very successful. America's largest stucco contractor runs all its offices on software I wrote for them from scratch 100% myself. But I am convinced that MS is a very evil company and that they purposely allow these problems to occur. Unfortunately, they do have a monopoly. and I use MS software. Now I have Linux on my machine, I can use either MS Windows or Linux. But I generally stick with MS Windows. because that way I can file things into MS Word and use the whole Office package, etc. MS software is ubiquitous - like it or not, and it's in my interest to use it.
Red wine or white with spaghetti code?
OpenOffice (on Linux) is not bad at all. Go Linux!
"If there’s another 9/11 or a major war in the Middle-East involving a U.S. attack on Iran, I have no doubt that there will be, the day after or within days an equivalent of a Reichstag fire decree that will involve massive detentions in this country." - Daniel Ellsberg Author, Pentagon Papers To be fair, security problems are not only found in MS products. Linux also has regular security updates. The difference might be that the hacker community is generally allied with Linux since it stands against the big evil MS, and so they don't go around writing worms and virus for Linux. They instead are more likely to report it and help Linux out as it competes with the Big Evil.
Do you use Linux? We should take a poll.
Fedora Core 5! It rocks. Linux/Unix is required for my work, but increasingly Linux becoming my OS of choice. I've been cheering for it a long time. I'm installing Linux for my computer-avoidance daughter (one too many bad music downloads and the MS cd finally too scratched). I'll let you know how she gets along with it. She only uses internet, email and photo stuff. I believe Linux is ready for the average user now. I would convince my sons to use linux, but their games run on MS.
"If there’s another 9/11 or a major war in the Middle-East involving a U.S. attack on Iran, I have no doubt that there will be, the day after or within days an equivalent of a Reichstag fire decree that will involve massive detentions in this country." - Daniel Ellsberg Author, Pentagon Papers This might sound like a dumb question, rob, but where do you get Linux? Is it free, do you down-load it? If I'm already running Windows can I still install Linux?
"I woke up in the CRAZY HOUSE."
There is a way, but I don't recommend it. It is possible to run Windows inside Linux and there is dual-booting. I use swappable harddrives or two computers and a KVM switch (Keyboard/Video/Mouse = KVM). You can download Linux and burn the cds. Or you can borrow some from a linux friend, or you can purchase the cds. Microsoft is a Chevy. For all the money Gates extracts from folks, they only build a Chevy. Microsoft's history is not pretty, and they still have annual lawsuits. I just don't like them. Linux is this wonderful worldwide grassroots effort by really smart people, who witnessed and realized the future potential for more corporate evil. Linus Torvald and many others have created something that Gates no longer laughs about.
"If there’s another 9/11 or a major war in the Middle-East involving a U.S. attack on Iran, I have no doubt that there will be, the day after or within days an equivalent of a Reichstag fire decree that will involve massive detentions in this country." - Daniel Ellsberg Author, Pentagon Papers Solaris/OpenOffice here.
Press 1 to proceed in English. Press 2 for Deportation.
Thanks, rob. I already use a non-MS word processor at home. All the MS products are SO expensive, and even I don't think they're very good. He just got what eventually turned into a near monopoly on operating systems and word processing/spreadsheet applications. I'll look into the Linux.
"I woke up in the CRAZY HOUSE."
Yes you can download it, most practically if you have a broadband internet connection. I use Mandriva (formally Mandrake) and you can get it via bittorrent. Many other versions of linux are also available. Redhat is also popular, but there are a number of others. For installation by non-linux gurus, I suggest either Mandriva or Redhat. It's pretty hard to mess up. There are also versions of linux that are on a bootable CD that are safe to use on Windows. Put the CD in your CD drive and boot up the computer with it and you are running linux. It does not do anything to your windows installation. When you're done, close it down and reboot back into windows and it's business as usual. http://knoppix.com and http://kanotix.com offer a nice bootable linux CD, both free, and if you have a spare partition on your hard drive, you can install those CD's to the partition and make your computer "dual bootable". That is, when you turn your computer on, you are first asked if you want windows or linux. If you choose windows it boots up as normal. (Assuming you think "normal" describes windows). Mandriva also offers a bootable CD though I've not seen the latest version of it. They say it's nice. Other windows/linux options is to install "vmware" on your computer. http://vmware.com It allows you to run multiple operating systems on your computer simultaneously. I have that but it's a bit of a hog when switching from linux to/from windows. Vmware does cost money. There is also http://win4lin.com which does the same thing but only runs particular windows versions and when I last tried it it did not work well at all running XP. It's cheaper though. But yes, linux is now friendly enough to be installed and used by people who are not computer gurus. You won't have much in the way of an 800 support line if you have questions, but help can be found on the net if you can get to it, and your computer will have fewer problems anyway.
Show off. ;^)
"Ohio: It's not the heat...it's the humidity!"
"DOS ain't done 'til Lotus won't run."
"Ohio: It's not the heat...it's the humidity!"
What can I say? It runs on a MacBook Pro and everything else :-) ...and it isn't Microsoft!
Press 1 to proceed in English. Press 2 for Deportation.
Yes, let'save a poll. The Lead Loon (Golden Eagle) over at FreeRepublic just might soil himself over the result. ;c)
Now you're doing it on purpose! Speaking of showing off, I'm almost ready to start building the "Command Chair" Imagine something between this and a cockpit version of the old Star Trek arcade game from the 1980's: I want a workstation that looks like I could launch a thermonuclear orbital attack from it.
"Ohio: It's not the heat...it's the humidity!"
Heehee. Sorry, couldn't resist - and the command chair is NOT in the future of mirage's closet data center. Now, if a NetApp was less expensive, mmmm.....!
Press 1 to proceed in English. Press 2 for Deportation.
Wife won't let you have one, eh? And don't go getting all BobDole third person on me.
"Ohio: It's not the heat...it's the humidity!"
No wife to get in the way of things here. Just -- not interested in such a thing.
Press 1 to proceed in English. Press 2 for Deportation.
#2. To: Red Jones (#0)
It's been literally round-the-clock work on updates
I've already said too much.
#3. To: Red Jones (#0)
#4. To: Red Jones (#1)
#5. To: robin (#3)
#6. To: Neil McIver (#5)
#7. To: robin (#6)
#8. To: mehitable (#7)
#9. To: robin (#6)
#10. To: robin (#8)
#11. To: mehitable, robin (#7)
This might sound like a dumb question, rob, but where do you get Linux? Is it free, do you down-load it? If I'm already running Windows can I still install Linux?
#12. To: mirage (#9)
Solaris/OpenOffice here.
#13. To: robin (#8)
Microsoft's history is not pretty, and they still have annual lawsuits. I just don't like them.
#14. To: orangedog (#12)
Show off. ;^)
#15. To: Neil McIver (#5)
#16. To: mirage (#14)
It runs on a MacBook Pro
#17. To: orangedog (#16)
Now you're doing it on purpose!
#18. To: mirage (#17)
Heehee. Sorry, couldn't resist - and the command chair is NOT in the future of mirage's closet data center.
#19. To: orangedog (#18)
Wife won't let you have one, eh?
Top • Page Up • Full Thread • Page Down • Bottom/Latest