Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Office Under Siege



 By: Ryan Naraine
2006-08-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
News Analysis: Attackers and flaw finders are pounding away at Microsoft Office applications, discovering new ways to attack millions of Windows machines. Can Microsoft cope with the deluge of flaws?

What started as an amusing eBay listing of an Excel vulnerability for sale has developed into an all-out hacker assault on Microsoft Office applications.

Security researchers and malicious hackers have zeroed in on the desktop productivity suite, using specialized "fuzzing" tools to find a wide range of critical vulnerabilities in Word, Excel and PowerPoint file formats.

The upsurge in reported Office flaws has put Microsoft on high alert for targeted zero-day attacks that have all the characteristics of characteristics of corporate espionage—highly targeted and using Trojan horse programs to drop keyloggers and data theft malware programs, according to information from anti-virus vendor Symantec.

"Our Office team has been hard at work all summer. Its been literally round-the-clock work on updates and responding to issues. Its clear that the [security] research community is focusing on Office and other client-side vulnerabilities. Thats a shift we were actually expecting," said Stephen Toulouse, a security program manager for Microsofts Security Technology Unit, in Redmond, Wash.

"As we make the operating system more resilient to attacks, it makes sense that the researchers are moving up to the application layer. Its not just Office under scrutiny. Were seeing the same thing with [Apple Computers] iTunes and even [OpenOffice.org]. Theres an upsurge in vulnerabilities all around," Toulouse said.

The statistics are telling. In 2005, Microsoft shipped patches for five flaws affecting all versions of Office. In the first eight months of 2006, according to Toulouse, that number skyrocketed to 24.

Resource Library:
"A lot of this stuff were finding ourselves. The teams working on Office 2007 are doing the same fuzz testing, and we are actually backporting those fixes in the form of security updates for current versions," he said.

Fuzzing, or fuzz testing, is an automated technique used by researchers to find software bugs. Code auditors typically use a fuzzer to send random queries to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.

Read more here about the Excel vulnerability that was listed on eBay.

"It seems like Office is the new Internet Explorer," said Marc Maiffret, chief technology officer at eEye Digital Security, of Aliso Viejo, Calif. "A few years ago, the buzz was around IE flaws. Now, researchers are looking for other low-hanging fruit. Last year, it was easy to find a remote attack, but Microsoft spent a lot of time shoring up that attack surface. Now that remote attacks are harder, people are focusing on easier client bugs, and there are no better client programs to target than Office apps."

To others, there is the thrill of the challenge. In December 2005, when an anonymous researcher put up an Excel flaw on eBay, the listing included clues about the actual vulnerability. It triggered a race in the research community to duplicate the finding.

"[The eBay lister] mentioned the actual memory function that caused the bug, and we put all our guys to work trying to find it," said David Litchfield, managing director at Next Generation Security Software, a security consulting company operating out of the United Kingdom. "When Microsoft issued the patch, the list of researchers credited with reporting that bug was very long. Its clear that everyone had the same idea. Lets pound away on Excel and see if we can figure it out too," explained Litchfield, in Sutton, England.

Microsofts Toulouse acknowledged that the eBay listing appeared to trigger a race to discover file format bugs in Excel and other Office applications, but he said internal software teams also are hammering away at Office, trying to beat attackers to the punch.

To Dave Aitel, a vulnerability researcher at Immunity, in Miami, its somewhat strange that Office applications flew under the radar. "Its really, really easy to find an Office bug. Every time Word or Excel crashes, its because of some random little bug that could be a security flaw. Everyone has dealt with a Word crash, so this is not a rare thing," Aitel said.

Read more here about zero-day attacks against Microsoft Word users.

"Im sure Microsoft will make it harder to crack Office after this year, but, right now, there are bugs everywhere. And its on every desktop out there, so its really a big, common target," said Aitel, a high-profile researcher who creates exploits for Immunitys Canvas penetration testing tool.

David Goldsmith, president of New York-based security consulting company Matasano Security, believes the upsurge in Office flaw discoveries is a direct result of Microsofts work to harden the server services that ship with the Windows operating system. "Its part of the natural ebb and flow [of security research]. Once the researchers and attackers started focusing on client-side attacks, we started seeing a lot of IE bugs and IE patches. Its the same with Office," said Goldsmith.

"Office is a big, tempting target for researchers with good fuzzers. People are now saying, Hey, lets look at Microsoft Office file formats," Goldsmith said.

Microsofts Toulouse said the next version of Office will be resilient to the file format bugs that are being found today.

"Were already doing code auditing [fuzzing] during the software creation process, and we are applying what we learn to down-level versions. A lot of the patches you are seeing now are the result of our internal work," he explained. "Weve had things reported to us that we had already found and were already in the middle of getting the updates ready."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Microsoft Office Under Siege
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v89hN;/ۑȖkb[K'G!m䐔w^b|g_bq -|ĖBw?I9wtô'1%3t;D{{?.ЇP|oS/92twNHN‰,-90o-Yn_H.Ma(7F`XӀ7? iP2\M8X@.@ש#07ۯZx۬) Rƒ tKs;j\K}0[=RFp JpJq䰉c,XSl \Mo4x M2X U >hI,E[!fT}N}%I F_~aϨ>s|V궝x>:AGAticŦh4@MMrӇtu4A. w|hx: }C 00gw9&z(t@ h&r<kIOlLJ.??6 ; G`rɝ 5y05ݻCi`y1yjQ?]*~s`=w= H X./ lmN7-}hZ`1 5#J0$w2Z}'%n.G))(/H.BD(ZHB!Alq [$pXxd++~Gy-#!bTLZ(ݞH:w&@-hƚTL٣XB ^X/_2әJRj2m<-&D7r"e.GwKቖ6F5oY,*GV+WMz92a z {[W5ܴ ҄%(𝀴t0OjHL\U}Ge٢3zn8 Iϱ(Y@aEдBk`JAqyc]@kwtlQ̴a85GS9_A\!4Lh,G7uIT5I5);eڷTۊv!39n! hW.Y 2cxRUyRt+[[3R7)\IYbT9XScXO`D~w Lzb0ufm/n$1`V|\uΖM"kͲ{_No6ҁveZZ @-Ui -a70Ԣ(`|M(" !tsaʹ,C /0Qid^0RK´9& zQ8e'og đaܧ^ǨO`섏k 5o`" 2l3s&/ftwE% i4Q,(J9A)` L] TFSyv{0$u`m\>(cpF,`^\|<ׇ> B KG"Z``Es ǖYCǖbTیЂ[|P*oұ@%УpӞrVyC濛?O=~4T+BZ= QQT*߬Ps1)'@S$f|`g<ڗ_ޝ4Mcg67`3Tx+}`x䣋2,*`Ȳ|˘7 մv2<~,3֔R)hBDVAE Qptoգ)u7qfv9A#]3@$72]t@ HQj89G& B1FGF'%:"pwC*2GԻ5ebՈG:`JEWFlJ瞏+ӥ ,ć# 4k 0Y[ ⺪TjՂʾ_YN+^> ) Lu0Ȑ%=GlThm.1Ul$R*lCĮ01^*==@7_ -ʖ~g˦ɪՆ'ayϤ͋p|5]|b9s#ONQMG9F T,ۀ ^093+F_H]-M:f2/c>ϣ#W5% `$fqN'GA:T{7 s0X3f~ruWk*d?y{ WzЭt;vʭܱ -&oc d.ōfπïǖ2mԚVNL&Vi Z;k}zGdCR =|'A΁ۇMO0="c^.k|Y{h֏'*z)ODʜYE/Q U-q'.҄^Ks9bvv'MU"[ qy lSbR/փ `AQO "U!T>O7(~ (zC>km {~L>\XS(.>MP*jIIz$peU1n?mVVW`j-^2۹in.E9[ 4˷ʨKV͖K%4e3/ -9@X<y}baHwrKz]w޼܀8ZfDS, .i,: -e4*ݐGUkNJZZ$t` ۳<0%{q*LEM+t׀m+J9wW|L4 #uL)_yHP?lZ.+BvQ *s>P|o =$Є_؆ +~w?l)ɡHHD>DiF\{e">QP(ٿUG @/I6S.:;l4BϢ.cNvH ۧ>^E!1@q3nnt/ ;QAZrkq >&u.[Uˇݏ-s|gi\·[dzLR(I1>dd˙]=+boVta Oa區 _9 ys)}=^xGsٖW's=BDHC䄬W!zNfS L k;d8)(hdjm\8=`&ziR_KվĂKӜ$"j?N3$nh0Skޚ( V`!旁PH2>(_aHHT dDӻ:o~den/2 m! D785S*PW2REHIAZu_f3bt<~Qt":Po1r!~_!cߗ&8~P6hLVf:n|"B2^'68;=h19ޏH/p"TS(LMàvD)fTDxi'y0:Ɩs8쀒N1{7lOܡM]>-gSs$S)ҤdAgJȄaye5)a5R!MLCYOC/%$f;B:z{ giMN.m2gjt.6D2FM`l)JZa!A|)J| 9i@ Rr;8%}@J^KJPW&BR 0><@s`¼*,SVHl;`ұGy~"ѴNxL7Ď#^@(NVu2k=7x'[_YN.t09]#ޣd=tWcL_ ;}Z]s>ͥ0i8;_=?P.zSgOɍ2sXs\ ZpFl+ҿDžܳbpfi?%>iפybAc$H~"`@wGL|9~ÿ§ ' ;s]'伉q+^QW{2.}?I/K턟ݖisP!OKdLg!I ɫ׺w7}ʜ9%'+w|62(oP2tI Js{Q[qe#?oWƹy+-R!ekEwWUKK㒏2E:'%:#ڮ/=اY\dbQWفgo ?u'|ȞFcԶ؉Exyg,d9a}43؞qbLd<J;oݭn T Ov!!%FJMc-!借Ц õcV#Ǵ _?qVԱQ*6oNւ1v̙[ʈ1/WIn26  \BӞ Ma_Ͻz2.mE>zQc%F}?^Sϗt8/`8?6#,Ӝib\Ň&LձW,}\hq%pFNox1ӧatfڰf;1d̞9VPjr4cRZNSTxHΩ̹'Μm膓),Exς]FF5ǎÎj7vP/Uı`"eP]3K.w2g@]]W 3)ˢT+`Y ?fNc(}IjLc'\C~0n!2.|-&XAPH}gjB{ ̞@- tF[06|p4vYD8f?;ˌI->N+b7bD ;:ɼa;nmb%,xDڥdId+d$e%!-IqLur6Ni0dVOmPۄ^8r-8[^PO.aYa? D J|]jXEBoHt&imDa?< `gq_"E:c 1]+ צ)f +}d Gq! d~wB~wB~wB~wBJ;!cH- /],Au 󫖗5ŌQ"7LF꓋W2V|{O6lQE=\?u7 USTE:.]Qeĥ^(zA ÅcT*jJm|C*@ H@•f9q9x([R9 10^ܘifD.0!zpӞ#j,^@}Ȣb@pG01|F$!̃8qb ʹwk;5&s"*$wpJ9x9 WC1R^&c%\t{Rq<_R jI5 Βy2θm?T,\u>[u{%陋=ƓAlIr[ZN`4zEp(RRWtP +ճ;ccEnίlI*LԢwr\'s%E`UC01k*J$EY^IQύ?KqmIZdRܫ6"4qN^<YO_<&ՆQ7GCIɃ7{){){){)|/eAU75=Yn Y צKΘmv.iesR@B{3C#ͺ} ݭ {۱6ݟOArgg [gn^,5<.zኣiX&:3Uc)8<~0G.zb" s)#x{ڣqVJ%$][s5[u/6@b7 HCˆ'evEC;ч2q-M,8+}E&9C..0ϔ:!@AȟH(/*k&,n,_ԞQ0dwgJ)boNUZ+~* ^v5!VvFEc706_=cYAIA*`cYA>^(lj8ʍCkl* w=35%IHcGh Ν3h.PY a 1$'?[<=pSO3\W{p/߁Xs<\"O0ޘvkBtϠ6k?0Zߘptym&n$5?h۾a+mն-1OċV{Ow]@VE6,љsGWR*eyX -}-%&ϒl;@-~?NFTˬ2M$Q3 ƹ+}b",k֖(P2maD+op/Ҏ|p{0KǠKt;4(P(>k~~i/m~ᑎc'kǗy0,YNܓժa`u". b1E+l@.h ǐ}Ek+»}3 d7 Cst{Qykũ߳yxj](Z@L7 ~Z+ R(CZPBZݲ’kM=Is1ꚚrMl @`"~ONDZC@ O^a)qc) kpxE΃L,t$7  /(/͛I~1207aS,^4J711ǜS+ERSs.}KRG(VzdqK2/ #|PWwƄFWe:-0Q5]B\U B-~0h1]Hst3#lzZCJOk&pVi j+LxW8OH_q=o7ݝA47:Uiis۷S7)O⋶'찔?1f{xES%">F2lSKaZ$~TRu1s9L"̶B ?GZA)r]3|US*Z < O$BȵF² s"2!3P=Ӓ"QGlTҊj95Y 4Ra*zdIO2L\\lgN((bXL~-=-|>dzE1m˖C/0经UztWc2 @L DLcB_9w|%5F[q{e>dYgV9/0۱px6-Rý^A@,=gY_`9bu{Ω 7ʒxlfm?ڒVo5JzK<~7)h gۦ~ lwF"td|G,%V̯mR߃q>k&[Q{Zak(`Š$Z*f63ZI B\"/=_!ƘMDF P#SC,6M$AeЃ5T?0нG )hUeQb+;Z@kb^ <ҁE+qܖ.tb,@+>N /&}& )IoH$]U# `xIF윓M﷯{aC_8s& sPX v;^ea T*0 ,*=}uH ]TW 3Ox7t'leh`={χ\n\h[:L8!iʿގח=01sA~b C:΁ lZ>$F(ЄG#g^q79m[ 45@!,^C. Q?9mDRPac=L#&|&M TZ_jAt|v#D[/d 6C;b<1c|>Oc_Dja.JUE dw  sn Q@J ͍$ԇ:ps+%̌S,0uA"\2,GGA~2u:RsF%~6t0^Q1e& > c[7xY%KM Ṉb$!%H$bcx=9 ِ!?2PX׻Ss,0(.ŌCZQJФ*t+R0cU-%(ߺoSnwV7X[z+i+K9Iˑ1;^h``frOuvcѼ:LNפINmx;\;Kr>&lkM‰/WQwq{sپ\sSM·_s}mP0mw %e9ũ_,jO4Wd;πW}VX\m] l/~D0/& F^M01cl۽֖S~Ƌ#xYf12;Zt>r:f pXmn8~(hOv{It/۹FhRs P!7(-ʯ74R](f#7vF l.?f=}F:YgsyktZпNF?ӹ(w2k|eϛy|v_d_d^ds E/>/2">G/3 ?eAYFߠoP~Q{1?s w1]7]? ͐/W@Wq_e sA?=/c=/c}~\c}}OY0O(*ɠh& K:ICP.Np3Kq /ޯ?e4@yJ͠2,c2\.2sܿw2~2A\t[u CFWT=k ϼdmth8VҮaq_l _zi k{J'zHGW4<< X1rnmŚ/JYy8* t!=}BcT %ܻ Gz‰n}(Ksҷe&m~4̊RlOApt_Ew9MAw0[`\Y"x}s&pJ!J8?0 HM׳pNť8 a箩%gz&\ʠaCao/Yb+F;cF<4Nwz:eēdy0\9+hw `z4}z<8ѿ6%'x([Lot_\詌Hτ[6пCɃS%(ML14X8D#jϗ97G:aKƈ DMKIn_!x'G W`wȼ!M0BkNYM^F`˫yCOfD՟x6,0G1i!DŽp7a$-K?Xv7n:+tjb5sp51h*+|6~xm oEtF3Fo"9 ţ:aс(Yc{XnDho;-@5kxY.$|[Jq}tA6H[mgvnCkFQg H?,x`Tς[.eL~?.' KGJ Ǝ$z o7_\ ɡ;wgYl@ꃧrSlY`_GBbЗ #+~a *q8w42T`';_MhpKaAtN[a>$N*۹b$ӧurԱ=8*p)mød |A«E/=ׇ"cX݃ChJt 3n=GIj'_7 BF3q4 Y8[rez.B%L9|_W5{to4Oe;BI<ŷ`-<>,"Ϸϒe|vKD2Ntx9= |n[~QڗE@1agG;(i*iou KAXr$sDs݅ ߠ(b/<% * >=.X&">m?'.}Fu+J'x8| j7;5m ˎ0 m'#84B>ԼmQ޺pml.; +C/c^pgUvy*s*>`H6A1^<;z>Ku!AY=_v{[=/'R`^|˼kAўYnw0w>L/#]ZFC`p ۂ{XiWeJpC)tO˞ĝ˰ANx3AE7k^rXٻ"Ps:#vKѺ v7" a^n1n-/ـ9&@r=֏*.uf94mBTFE®,:u` {];={&*kW؁nl`Txq;s[_08V0|6,lp/>CwϏq`2[uW^?W-lI12, $8zIW{{a0&iE㨤t`C v_ʉ~ph;?҈>A wVǰ.XF!Ƨۅ7'TS*4.v>ϝ>Z\99ZpϢy9q3E~#V+KVw9+[Ѐ7H>Y;PE"1s1GN= `5>gvC%z1w~X0~v19&Y>6s􋋙Ƚgz^4}jsXC *#f"WNENE<<*IDy)V@ O{ |>":xqea@T,7+c~ <^E!$g~V;~v?;u~k a% ѨT\ߴ;kO, -}tK'_w?^hI:V; AHcV}"^ֳ/ .A|>ǐy6n_1ԿiUUA$7yE1em*.{g;a+bBmP?-۔r&s.#KMjZ)ҦG(c>tgLt )2)v}ml-c6C-{p)