Alexander Gostev, Senior Virus Analyst, Kaspersky Lab comments that the first six months of 2006 was “notable for the complexity of the technologies which antivirus companies had to deal with, a large number of new proof of concept programs, and the ever increasing interest shown by hackers in Microsoft Office.”
While there was no great exploit epidemic during this latest quarter, nor any new proof of concept viruses for that matter, or even much activity on the virus front at all that is not to say it has been a dull three months from the perspective of the security professional. Of most interest to me has been the continuing unwanted attention paid to the MS Office suite of applications, or perhaps to be more precise the fact that nothing has really changed from the first six months of the year in this regard.
To put this into some perspective you have to look back to the last report from Kaspersky Lab which highlighted the problem of OLE documents, as created by Office applications, which took centre stage during a whole host of vulnerabilities (in excess of 100) that were discovered and publicized before Microsoft was able to produce even a temporary patching solution. At the time Kaspersky Lab were vocal enough in pointing out that in order to properly secure its Office suite, Microsoft could not rely on the ‘Band-Aid over a gaping wound’ stopgap of issuing patches for each vulnerability, but rather would need to address the technology that powers and processes OLE objects. Needless to say, nothing has happened in this regard and Microsoft continues with its now obviously ineffective ‘Patch Tuesday’ strategy. No great surprise, then, that Kaspersky Lab reports malicious users continuing to challenge Microsoft with new Trojans, the most active threats coming from the direction of Chinese hackers apparently.
Just look at the vulnerability head count for those three months if you need evidence of the failure of Microsoft to properly address the flaws in its strategy:
- Microsoft Security Bulletin MS06-037
- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
- Microsoft Security Bulletin MS06-038
- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
- Microsoft Security Bulletin MS06-039
- Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)
- Microsoft Security Bulletin MS06-047
- Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code
- Execution (921645)
- Microsoft Security Bulletin MS06-048
- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
- Microsoft Security Bulletin MS06-054
- Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729)
And if you want to add to the list those vulnerabilities that were fixed by patches in October but originally detected in September, and why not, here they are:
- Microsoft Security Bulletin MS06-058
- Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (924163)
- Microsoft Security Bulletin MS06-059
- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)
- Microsoft Security Bulletin MS06-060
- Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554)
- Microsoft Security Bulletin MS06-062
- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922581)
“At Kaspersky Lab” the report notes “we even started betting on how long it would take for a new vulnerability to be detected in Office after the previous patch had been released. And the question wasn't whether a new vulnerability would be detected, but when: in each case, it was clearly only a matter of time, and not much time at that.” To make matters worse, for pretty much all of the reported vulnerabilities there were literally dozens of Trojans detected, so we are not talking isolated attacks here but large scale, determined exploitation of known holes. And it is just that which Kaspersky suggests as a theory to explain away the sheer scale of the attacks, the possibility that Microsoft is being deliberately targeted in an attempt to discredit the Seattle giant as an information security specialist.
To be honest, there are many who would claim that it doesn’t require a concerted effort by Chinese hackers to do that...