Three-year-old Office patch stymies most attacks
Microsoft adds to the problem by not offering Office patches through the popular Windows Update service, expert says
Computerworld - Users running Microsoft Office can stump nearly three-fourths of all known attacks targeting the suite by applying just one three-year-old patch, according to recently published data.
Almost three-out-of four attacks -- 71% of all those spotted in the first half of 2009 -- exploited a vulnerability in Word that was patched in June 2006, Microsoft said in its bi-annual security intelligence report, released Monday. The flaw was fixed in the MS06-027 security update issued.
The second-most popular exploit, with a 13% share, aimed at a bug that was quashed in March 2008, Microsoft said. The flaw was one of seven patched by the MS08-014 update.
The 2006 update patched Word 2000, Word 2002 and Word 2003, while the 2008 fix affected Excel 2000, Excel 2002, Excel 2003 and Excel 2007.
Microsoft made the point that patching Office was as important as keeping Windows up-to-date with security fixes. "The majority of Office attacks observed in [the first half of 2009], 55.5%, affected Office program installations that had last been updated between July 2003 and June 2004," the company said in its report. "Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003."
Unfortunately, users are far less likely to update Office than they are to patch Windows. According to Microsoft's data, the median amount of time since the last Office update was an amazing 5.6 years, compared to just 1.2 years since the last Windows update.
"Users can keep Windows rigorously up to date and still face increased risk from exploits unless they also update their other programs regularly," Microsoft warned.
Wolfgang Kandek, the chief technology officer at security vendor Qualys, echoed Microsoft's take on Office patching patterns. "We see the same in our data," Kandek said. "People just don't patch Office, and when they do, they patch it much slower than Windows."
That especially holds true in the enterprise. "This is a major security hole in the enterprise," Kandek said. "IT admins are not focusing on Office as they are on Windows. They do what's required of them," he continued, hinting that they often do little more than that. "Windows' security has a high profile, and so they're patching Windows. I don't think they're looking at Office, to tell you the truth."
Qualys obtains its data from PCs that it manages for its clients, most of which are companies.
One way to stay up-to-date without patching every month is to apply the infrequent service packs that Microsoft issues for Office. "If the Office 2003 RTM users in the sample had installed SP3 [Service Pack 3] and no other security updates, they would have been protected against 98% of observed attacks," Microsoft said. "Likewise, Office 2007 RTM users would have been protected from 99% of attacks by installing SP2."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Windows White Papers | Webcasts