What started as an amusing eBay listing of an Excel vulnerability for sale has developed into an all-out hacker assault on Microsoft Office applications.
Security researchers and malicious hackers have zeroed in on the desktop productivity suite, using specialized “fuzzing” tools to find a wide range of critical vulnerabilities in Word, Excel and PowerPoint file formats.
The upsurge in reported Office flaws has put Microsoft on high alert for targeted zero-day attacks that have all the characteristics of characteristics of corporate espionage—highly targeted and using Trojan horse programs to drop keyloggers and data theft malware programs, according to information from anti-virus vendor Symantec.
“Our Office team has been hard at work all summer. Its been literally round-the-clock work on updates and responding to issues. Its clear that the [security] research community is focusing on Office and other client-side vulnerabilities. Thats a shift we were actually expecting,” said Stephen Toulouse, a security program manager for Microsofts Security Technology Unit, in Redmond, Wash.
“As we make the operating system more resilient to attacks, it makes sense that the researchers are moving up to the application layer. Its not just Office under scrutiny. Were seeing the same thing with [Apple Computers] iTunes and even [OpenOffice.org]. Theres an upsurge in vulnerabilities all around,” Toulouse said.
The statistics are telling. In 2005, Microsoft shipped patches for five flaws affecting all versions of Office. In the first eight months of 2006, according to Toulouse, that number skyrocketed to 24.
“A lot of this stuff were finding ourselves. The teams working on Office 2007 are doing the same fuzz testing, and we are actually backporting those fixes in the form of security updates for current versions,” he said.
Fuzzing, or fuzz testing, is an automated technique used by researchers to find software bugs. Code auditors typically use a fuzzer to send random queries to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.
“It seems like Office is the new Internet Explorer,” said Marc Maiffret, chief technology officer at eEye Digital Security, of Aliso Viejo, Calif. “A few years ago, the buzz was around IE flaws. Now, researchers are looking for other low-hanging fruit. Last year, it was easy to find a remote attack, but Microsoft spent a lot of time shoring up that attack surface. Now that remote attacks are harder, people are focusing on easier client bugs, and there are no better client programs to target than Office apps.”
To others, there is the thrill of the challenge. In December 2005, when an anonymous researcher put up an Excel flaw on eBay, the listing included clues about the actual vulnerability. It triggered a race in the research community to duplicate the finding.
“[The eBay lister] mentioned the actual memory function that caused the bug, and we put all our guys to work trying to find it,” said David Litchfield, managing director at Next Generation Security Software, a security consulting company operating out of the United Kingdom. “When Microsoft issued the patch, the list of researchers credited with reporting that bug was very long. Its clear that everyone had the same idea. Lets pound away on Excel and see if we can figure it out too,” explained Litchfield, in Sutton, England.
Microsofts Toulouse acknowledged that the eBay listing appeared to trigger a race to discover file format bugs in Excel and other Office applications, but he said internal software teams also are hammering away at Office, trying to beat attackers to the punch.
To Dave Aitel, a vulnerability researcher at Immunity, in Miami, its somewhat strange that Office applications flew under the radar. “Its really, really easy to find an Office bug. Every time Word or Excel crashes, its because of some random little bug that could be a security flaw. Everyone has dealt with a Word crash, so this is not a rare thing,” Aitel said.
“Im sure Microsoft will make it harder to crack Office after this year, but, right now, there are bugs everywhere. And its on every desktop out there, so its really a big, common target,” said Aitel, a high-profile researcher who creates exploits for Immunitys Canvas penetration testing tool.
David Goldsmith, president of New York-based security consulting company Matasano Security, believes the upsurge in Office flaw discoveries is a direct result of Microsofts work to harden the server services that ship with the Windows operating system. “Its part of the natural ebb and flow [of security research]. Once the researchers and attackers started focusing on client-side attacks, we started seeing a lot of IE bugs and IE patches. Its the same with Office,” said Goldsmith.
“Office is a big, tempting target for researchers with good fuzzers. People are now saying, Hey, lets look at Microsoft Office file formats,” Goldsmith said.
Microsofts Toulouse said the next version of Office will be resilient to the file format bugs that are being found today.
“Were already doing code auditing [fuzzing] during the software creation process, and we are applying what we learn to down-level versions. A lot of the patches you are seeing now are the result of our internal work,” he explained. “Weve had things reported to us that we had already found and were already in the middle of getting the updates ready.”