Posted on | March 11, 2008 | add a comment
Microsoft’s issuing an all-Office line up of a dozen critical security patches on this Patch Tuesday is another proof point that activity level probing Office for security holes is vibrant as ever. Symantec senior research manager Ben Greenbaum acknowledges that the bad guys are probing Office flaws in targeted attacks designed to “get a beachhead†in corporate and military networks. He says the security community today has come to expect catching at least a couple of examples a month. “We know we don’t see them all,†Ben says. “And we don’t have metrics to reliably extrapolate how often this is really happening.†I queried three tech security sources about this, and Ben was gracious enough to answer my top-of-mind questions:
 Q: Does this month show a notable number of Office security holes?
 A: There are more patches for Office than usual, yes. Also notable is that all of the patches this month are for Office related components. This is not a surprise; Symantec has observed this trend developing for over a year as attackers move from the operating system, which has seen security improvements in the last years, to the ’soft underbelly’ of the applications.
 Q: Does this suggests a possible escalation of targeted attacks of well-placed individuals in certain corporations and government agencies?
 A: The increase in the number and percentage of Office patches does not directly suggest an increase in targeted attacks, no – however, in targeted attacks that we have observed, business applications including Office are a common vector.
 Q: How well is Microsoft staying on top of this new attack vector?
 A: No comment.
 Q: What anecdotal or direct evidence is out there that corporate and military espionage types are probing this area?
 A: We do have reported events of espionage attempts against both corporate and government targets where the attacker attempted to leverage an unreported Office vulnerability.
 Q: Can you help paint the wider context?
 A: As stated above, attackers are increasingly targeting the applications on a system rather than the operating system itself. Increasingly, they are even attacking plugins or modules added to the application by the user. As user data and user accounts have become the most highly sought after collateral in the online criminal economy, these entry points are as valuable as the traditional server targets of previous days, and in fact are often the end goal of even modern server-side attacks. Microsoft is doing the right thing by addressing as many of these as they can, but with the sheer size of the affected applications and the amount of features available, it will be an ongoing cat-and-mouse game for some time.
Â
Comments
