December 11th, 2006

Is MS Office becoming a zero-day liability all year long?

Posted by George Ou @ 12:36 am

Categories: Desktop, Security, Vista

Tags:

MS Office is nearly continuously vulnerable to zero-day attacks most months out of the year

A really critical vulnerability in Microsoft Word 2000, 2002, 2003, Mac 2004, and Viewer will not make Microsoft's patch Tuesday this week and a newly found critical vulnerability in Windows Media Player playlists will also miss the boat.  The exploit code for both vulnerabilities are out in the wild and there have been attacks on the Word exploit seen in the wild.  Unfortunately we most likely won't see a patch until the January patch Tuesday which is nearly 5 weeks away and Microsoft rarely issues out of cycle patches unless there is an overwhelming amount of negative press such as the WMF issue in early January of this year.

Microsoft gave the typical useless workaround asking people to avoid opening dangerous Word documents from known and unknown sources which doesn't exactly do anyone any good short of them dumping Microsoft Office.  While these sorts of vulnerabilities are not exclusive to Microsoft, Microsoft is the biggest target because of the ubiquitous nature of Microsoft Office and this may eventually threaten Microsoft's reign on office suites if people are concerned with Office security.

We have almost seen an even trickle of zero-day exploits every other month in 2006 for MS office that remain unpatched for 1 month or more.  As soon as one zero-day office flaw gets patched on a Tuesday, a new zero-day Office flaw pops up on Wednesday.  Now the attackers are getting even bolder to release these exploits one or two weeks in advance of patch Tuesday knowing that Microsoft probably won't catch it in their next cycle which causes the vulnerability to go unpatched for 6 weeks.  An attacker might have multiple exploits but they only need one at a time to break in to computer systems.  This means they'll only release one vulnerability at a time and not release the next one until the previous one is patched.  This means MS Office is nearly continuously vulnerable to zero-day attacks most months out of the year.  In fairness, the newly released Microsoft Office 2007 which went through the new SDL (Security Development Lifecycle) was not vulnerable to this latest zero-day exploit.

While Vista may mitigate some of these attacks that try to take over the computer because of UAC, it doesn't protect the user's data from theft, deletion, or ransomware where the user's data gets encrypted for ransom.  I spoke with Microsoft about this and they admitted would be the next phase of the war in a Vista security environment.  I recommended an application protected mode that engages whenever MS Office is opening an unknown Document that has an unfamiliar checksum because it wasn't locally generated or marked as safe.  The same type of protected mode should apply to any application that needs to process externally generated data since no application is perfect.

This application protected mode would give MS Office zero network access and zero file access other than the actual file it's opening.  This way, the only damage that can be done is the infected file itself.  No software application vendor has gotten to this stage yet but that's where they need to go.  With Vista's new security model, user data will be the next battle ground since the system will mostly be off limits.  Malware will most likely not even try to get system access since it risks detection by triggering a UAC privilege escalation prompt.  It will have to go straight for the user data and the most likely attack vector will be ransomware.  With Office attacks on the increase in the last year, Microsoft may be forced to adopt a more aggressive stance on application security or risk their biggest cash cow.