Trilight Zone Forum Index Trilight Zone
Privacy & Anonymity is our speciality !
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Microsoft's Achilles' Heel: Office

 
Post new topic   Reply to topic    Trilight Zone Forum Index -> Incidents
Author Message
tricore
Guest
PostPosted: Tue Jan 09, 2007 4:34 am    Post subject: Microsoft's Achilles' Heel: Office Reply with quote
The cyber attack last month against a U.S.-based public utility came wrapped in a Microsoft PowerPoint document featuring holiday illustrations and heartwarming reflections. This PowerPoint file, which resembled an innocuous version that was being forwarded around the Web by many sentimental e-mail users, had been modified to include a Trojan horse program designed to open a secret backdoor into the utility's internal computer network.

The company called in to investigate the attack, Verisign's iDefense Labs in Sterling, Va., also found two separate Microsoft Word files on computers inside the company's network that had also been tainted with malicious software code designed to give attackers control over the machines. None of the files were detected as malicious by the anti-virus software used by the company.

Ken Dunham, director of iDefense's rapid response team, said similarities in the computer code of all three malicious programs strongly suggested the handiwork of a Chinese hacking group known to write computer viruses for hire. And in each case, the attackers designed their hidden viruses to take advantage of security holes recently discovered in the Microsoft Office programs.

The attack investigated by iDefense is just one example of one of the biggest problems facing Microsoft: The seemingly endless string of vulnerabilities discovered last year in the software giant's Office software, the productivity suite that includes the widely used Excel, Outlook, PowerPoint and Word programs. Microsoft patched a total of 41 critical vulnerabilities in its various Office products last year, accounting for more than one third of the 104 "critical" flaws the company patched in all of 2006. Microsoft assigns a patch its most dire "critical" rating if the update fixes a vulnerability that bad guys could exploit with little to no action on the part of user, aside from maybe visiting a malicious Web site or viewing a specially crafted e-mail.

To put last year's 41 critical Office patches into perspective, consider that Microsoft shipped a total of 37 critical updates for all of its software products in 2005. None of the patch or vulnerability numbers cited in this story takes into account three still-unpatched vulnerabilities present in Microsoft Word, two of which Microsoft has acknowledged that criminals are actively exploiting.

In at least four cases in 2006, Microsoft rushed to issue patches to fix Office flaws that it first learned about after bad guys already were exploiting them for financial or personal gain.

For its part, nearly each time last year that Microsoft acknowledged attacks on unpatched flaws in its software, the company assured customers that the attacks were "very limited" and "very targeted" in scope. Indeed, at least when it comes to attacks this past year that leveraged unpatched Microsoft Office flaws, the anecdotes from victims have been few and far between, suggesting that the company's assurances are correct. It may also be the case that the victims of such attacks are government agencies or businesses that simply do not want to risk the potential for negative publicity should news of a network security breach attack reach the press.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Trilight Zone Forum Index -> Incidents All times are GMT
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group