Microsoft Office Under Siege August 13, 2006
By Ryan Naraine
What started as an amusing eBay listing of an Excel vulnerability for sale has developed into an all-out hacker assault on Microsoft Office applications. Security researchers and malicious hackers have zeroed in on the desktop productivity suite, using specialized "fuzzing" tools to find a wide range of critical vulnerabilities in Word, Excel and PowerPoint file formats.
The upsurge in reported Office flaws has put Microsoft on high alert for targeted zero-day attacks that have all the characteristics of characteristics of corporate espionage—highly targeted and using Trojan horse programs to drop keyloggers and data theft malware programs, according to information from anti-virus vendor Symantec.
RELATED LINKS
Alert Raised for MS Word Zero-Day Attack eBay Pulls Bidding for MS Excel Vulnerability Critical Excel Flaws Remain Unpatched Microsoft Posts Excel 'Zero-Day' Flaw Workarounds Microsoft Confirms Excel Zero-Day Attack Under Way
"Our Office team has been hard at work all summer. It's been literally round-the-clock work on updates and responding to issues. It's clear that the [security] research community is focusing on Office and other client-side vulnerabilities. That's a shift we were actually expecting," said Stephen Toulouse, a security program manager for Microsoft's Security Technology Unit, in Redmond, Wash.
"As we make the operating system more resilient to attacks, it makes sense that the researchers are moving up to the application layer. It's not just Office under scrutiny. We're seeing the same thing with [Apple Computer's] iTunes and even http://[OpenOffice.org]. There's an upsurge in vulnerabilities all around," Toulouse said.
The statistics are telling. In 2005, Microsoft shipped patches for five flaws affecting all versions of Office. In the first eight months of 2006, according to Toulouse, that number skyrocketed to 24.
"A lot of this stuff we're finding ourselves. The teams working on Office 2007 are doing the same fuzz testing, and we are actually backporting those fixes in the form of security updates for current versions," he said.
Fuzzing, or fuzz testing, is an automated technique used by researchers to find software bugs. Code auditors typically use a fuzzer to send random queries to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.
Read more here about the Excel vulnerability that was listed on eBay.
"It seems like Office is the new Internet Explorer," said Marc Maiffret, chief technology officer at eEye Digital Security, of Aliso Viejo, Calif. "A few years ago, the buzz was around IE flaws. Now, researchers are looking for other low-hanging fruit. Last year, it was easy to find a remote attack, but Microsoft spent a lot of time shoring up that attack surface. Now that remote attacks are harder, people are focusing on easier client bugs, and there are no better client programs to target than Office apps."
To others, there is the thrill of the challenge. In December 2005, when an anonymous researcher put up an Excel flaw on eBay, the listing included clues about the actual vulnerability. It triggered a race in the research community to duplicate the finding.
"[The eBay lister] mentioned the actual memory function that caused the bug, and we put all our guys to work trying to find it," said David Litchfield, managing director at Next Generation Security Software, a security consulting company operating out of the United Kingdom. "When Microsoft issued the patch, the list of researchers credited with reporting that bug was very long. It's clear that everyone had the same idea. Let's pound away on Excel and see if we can figure it out too," explained Litchfield, in Sutton, England.
Microsoft's Toulouse acknowledged that the eBay listing appeared to trigger a race to discover file format bugs in Excel and other Office applications, but he said internal software teams also are hammering away at Office, trying to beat attackers to the punch.
To Dave Aitel, a vulnerability researcher at Immunity, in Miami, it's somewhat strange that Office applications flew under the radar. "It's really, really easy to find an Office bug. Every time Word or Excel crashes, it's because of some random little bug that could be a security flaw. Everyone has dealt with a Word crash, so this is not a rare thing," Aitel said.
Read more here about zero-day attacks against Microsoft Word users.
"I'm sure Microsoft will make it harder to crack Office after this year, but, right now, there are bugs everywhere. And it's on every desktop out there, so it's really a big, common target," said Aitel, a high-profile researcher who creates exploits for Immunity's Canvas penetration testing tool.
David Goldsmith, president of New York-based security consulting company Matasano Security, believes the upsurge in Office flaw discoveries is a direct result of Microsoft's work to harden the server services that ship with the Windows operating system. "It's part of the natural ebb and flow [of security research]. Once the researchers and attackers started focusing on client-side attacks, we started seeing a lot of IE bugs and IE patches. It's the same with Office," said Goldsmith.
"Office is a big, tempting target for researchers with good fuzzers. People are now saying, 'Hey, let's look at Microsoft Office file formats,'" Goldsmith said.
Microsoft's Toulouse said the next version of Office will be resilient to the file format bugs that are being found today.
"We're already doing code auditing [fuzzing] during the software creation process, and we are applying what we learn to down-level versions. A lot of the patches you are seeing now are the result of our internal work," he explained. "We've had things reported to us that we had already found and were already in the middle of getting the updates ready."
Check out http://eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at http://eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Copyright (c) 2006 Ziff Davis Media Inc. All Rights Reserved.