Over the past few years there has been a lot of concern about “advanced persistent threat” and targeted attacks such as “spear-phishing” and “whaling”. In my discussions with security professionals in different parts of the world I have encountered many different views on the risks associated with these attacks, ranging from disbelief that they actually happen to the belief that every email with an attachment contains an exploit.

The Microsoft Security Engineering Center (MSEC) studies such attacks looking for ways to mitigate the threats to current products, such as Microsoft Office, and help engineer mitigations into future products currently under development. We have published data and insights on some of the methods attackers use to perform targeted attacks, in past volumes of the Microsoft Security Intelligence Report (SIR).

For example, in SIR volume 8 we published a study the MSEC did on document file format exploits. I want to highlight this study here because I think it helps add a little context to the topic of targeted attacks and provides actionable guidance to help manage some of the associated risks.

Document File Format Exploits

Increasingly, attackers are using common file formats as transmission vectors for exploits. Most modern e-mail and instant messaging programs are configured to block the transmission of potentially dangerous files by extension, such as .exe, .com, and .scr, which have historically been misused to transmit malware. However, these same programs typically permit the transmission of many popular file formats, like .doc, .pdf, .ppt, and .xls. These formats are used legitimately by many people every day to share information and get work done, so blocking them is often not practical. This has made them an attractive target for exploitation.

This class of vulnerability can be described as parser vulnerabilities, wherein the attacker creates a specially crafted document that takes advantage of an error in how the code processes or parses the file format. Many of these formats are complex and designed for performance, and an attacker can create a file with a malformed section that exploits a vulnerability in the program.

There are two common attack scenarios. In one, the user receives an e-mail message with a document attachment. The e-mail message may look legitimate and may appear to come from someone the user knows. In the other common scenario, a user browsing the Web encounters a malicious or compromised Web site. The malicious code forces the browser to navigate to a malicious document, which is opened by the associated program. In both scenarios, when the document is opened, the exploit is activated and it downloads malware or extracts malware buried inside the document. Real-time antivirus scanning can help mitigate the danger from these attacks in some cases.

To assess the use of Microsoft Office system file formats as an attack vector, Microsoft analyzed a sample of several hundred files that were used for successful attacks in 2H09 (the second half of 2009). The data set was taken from submissions of malicious code sent to Microsoft from customers worldwide.

In total, exploits for nine different vulnerabilities were identified in the sample set, as shown in Figure 16.

Figure 16. Vulnerabilities exploited in Microsoft Office file formats in 2H09

clip_image002

All nine of these vulnerabilities had security updates available at the time of attack. The affected users were exposed because they had not applied the updates. Office 2000, Office XP, Office 2003, and the 2007 Microsoft Office system were each affected by at least one of the nine vulnerabilities (see Figure 20 on page 42 for details).

Most of the vulnerabilities exploited in the data sample were several years old, with a third of them first identified in 2006. As Figure 17 illustrates, 75.8 percent of attacks exploited a single vulnerability (CVE-2006-2492, the Malformed Object Pointer Vulnerability in Microsoft Office Word) for which a security fix had been available for more than three years by the end of 2009.

Figure 17. Microsoft Office file format exploits encountered, by percentage, in 2H09

clip_image004

Figure 18. Microsoft Office file format exploits encountered, by system locale of victim, in 2H09

clip_image006

Users who do not keep their Office program installations up to date with service packs and security updates are at increased risk of attack. Figure 19 compares attacks observed in the sample set against Windows and Office during the second half of 2009.

Figure 19. Microsoft Office file format exploits encountered, by date of last Windows or Office program update, in 2H09

clip_image008

The horizontal axis shows the last date that the computers in the sample set were updated with security updates for Windows and Office. The vast majority of attacks involved computers with severely out-of-date Office program installations. Just 2.3 percent of attacks involved Office installations that had been updated within four years of December 2009, with more than half (56.2 percent) affecting Office program installations that had last been updated in 2003. Most of these attacks involved Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.

As Figure 19 illustrates, it is not at all uncommon for victims of Office program exploit attacks to have Windows installations that are much more current. Almost two-thirds (62.7 percent) of the Office attacks observed in 2H09 affected computers running versions of Windows that had been updated within the previous 12 months. The median amount of time since the last operating system update for computers in the sample was about 8.5 months, compared to 6.1 years for the most recent Office program update—nearly nine times as long. This is not to suggest that users who apply Windows security updates are at greater risk of attack, but it does help illustrate the fact that users can keep Windows rigorously up to date and still face increased risk from exploits unless they also update their other programs regularly.

To further illustrate the importance of applying all service packs and other security updates, Figure 20 and Figure 21 compare the relative levels of vulnerability of different versions of Microsoft Office as originally released and with the most recent service pack for each version installed.

Figure 20. Vulnerabilities affecting RTM versions of Office 2000 through Office 2007

clip_image010

Figure 21. Vulnerabilities affecting Office 2000 through Office 2007 with latest service packs installed

clip_image012

The RTM versions of Office 2000, Office XP, and Office 2003 are each affected by all of the vulnerabilities seen in the sample set, and the RTM version of Office 2007 is affected by five of the nine vulnerabilities. If the Office 2003 RTM users in the sample had installed Service Pack 3 (SP3) and no other security updates, they would have been protected against 96 percent of observed attacks; likewise, Office 2007 RTM users would have been protected from 99 percent of attacks by installing SP2.

However, merely installing service packs is often not enough to provide an adequate level of protection against attacks, especially for older program versions. Office 2000, Office XP, and Office 2003 are each affected by all nine of the vulnerabilities exploited in the sample, even with the latest service pack installed. Users of any of these Office versions who install all service packs and security updates as they are released (for example, by configuring their computers to use Microsoft Update (http://update.microsoft.com) instead of Windows Update) are protected from all nine of these vulnerabilities, as of December 2009.

The key things to take away from this study are:

  • Once attackers figure out how to exploit a document parser vulnerability, they will try to use that exploit for years to come.
  • Newer is better: running the latest version of document parsers and the latest service pack is a very effective mitigation against these types of attacks.
  • Keep all of your software up to date including document parsers such as Microsoft Office, Adobe Acrobat, Adobe Reader, and others.
  • Use Microsoft Update to keep your Windows based systems up to date, instead of Windows Update. Microsoft Update will help keep all of your Microsoft software updated including Windows operating systems and Microsoft Office, where Windows Update only keeps Windows operating systems up to date.
  • If you haven’t updated the document parsers you have installed on your systems, you should give serious consideration to doing so.
  • Don’t open email attachments or documents hosted on the Internet if you don’t know and trust their source.

Tim Rains
Director, Product Management
Trustworthy Computing