Why do Hackers Ignore MS Office as an Attack Target?

Following the recent Blaster and SoBig worm attacks, perhaps Microsoft deserves some credit for nipping in the bud the major threats to Office. While Security Supersite Editor Larry Seltzer notes that most Office users have little appreciation for the pro

You havent read a lot on this site about Microsoft Office threats, and thats no oversight. If we time warped back to 1999 or 2000, there would be plenty to write about. But an unusual thing happened during the development of this particular category on the list of security problems: Microsoft put a stop to it. At least for the most part.

Office is a major development platform, both within corporations and for consultants. Its a good example of what Microsoft has always done best: to take a useful platform and make it very programmable. In many cases, the Internet came to bite this strategy on the ... well lets just say it caused problems.

Programmability brought with it the opportunity for abuse. Industry figures pontificated at the time of Melissa and ILOVEYOU, the original Outlook macro worms, that Microsoft had gone too far in making applications such as Outlook programmable. However, following the incidents, a couple of security updates seemed to dispose of the problem. Every Office threat since that time—and there havent been all that many—attempts to exploit the same old hole that was patched in the year 2000.

There were many important security features in that update, but Ill focus on two that remain important today: that macros and other applications can no longer access the address book without interactive permission from the user; and Outlooks handling of attachments. No doubt, many of you have run into the first roadblock when youve tried to synch a Palm device. It brings up the message: "An application is attempting to access the address book" and asks you if you want to allow it permission and for how long.

Of greater importance over the past couple of weeks is the default action of Outlook to strip out executable attachments, including the .SCR and .PIF files sent by the Sobig.F worm, which is still plaguing the Net. (If you want to read more on Office 2003 security features see Microsofts white paper on the topic.)

No users of Outlook 2002 (or Outlook 98 or 2000 with the Security Update installed) were infected by SoBig worms unless users specifically turned off the attachment security feature. Current versions of Outlook Express also implement these precautions.

So who then spread the worm? Mostly users of old, unpatched software and users of other so-called "safe" e-mail programs.

Ken Dunham, Malicious Code Intelligence Manager at iDEFENSE Inc., agreed that the old versions of Office are a problem. He pointed out that "many home and SOHO computers are not updated with new software, let alone patched."

Unfortunately for all of us, Office 97 was a wildly popular version and to this day there are many people out there running it. And hackers are still writing macro viruses for Office 97, such as the recently revealed WM97/Adenu-A. According to Microsoft, Office 97 cant be fixed.

Meanwhile, the authors of e-mail worms reacted quickly to the fixes found in later versions of Office. For example, when users nowadays see familiar addresses in worm-based e-mail they often assume that the addresses came out of their address book. But this is unlikely. Instead, all modern worms search a variety of files on the system, including the browser cache, for e-mail addresses to use. They also include their own SMTP servers so that they dont have to rely on the users e-mail client to send mail. One of the innovations in Sobig.F is that it includes a multithreaded SMTP server, improving the performance of mail distribution.

So why hasnt Office been a more common target for attacks? Perhaps the answer has to do with the fact that native code is not easy to invoke from within the relatively controlled environment of Office applications. Sure its possible to create and install COM add-ins and other native code extensions to Office, but its no easier than delivering any other Windows executable. Attackers cant just slip something into an Office document.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer