Three-year-old Office patch stymies most attacks

Computerworld - Users running Microsoft Office can stump nearly three-fourths of all known attacks targeting the suite by applying just one three-year-old patch, according to recently published data.

Almost three-out-of four attacks -- 71% of all those spotted in the first half of 2009 -- exploited a vulnerability in Word that was patched in June 2006, Microsoft said in its bi-annual security intelligence report, released Monday. The flaw was fixed in the MS06-027 security update issued.

The second-most popular exploit, with a 13% share, aimed at a bug that was quashed in March 2008, Microsoft said. The flaw was one of seven patched by the MS08-014 update.

The 2006 update patched Word 2000, Word 2002 and Word 2003, while the 2008 fix affected Excel 2000, Excel 2002, Excel 2003 and Excel 2007.

Microsoft made the point that patching Office was as important as keeping Windows up-to-date with security fixes. "The majority of Office attacks observed in [the first half of 2009], 55.5%, affected Office program installations that had last been updated between July 2003 and June 2004," the company said in its report. "Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003."

Unfortunately, users are far less likely to update Office than they are to patch Windows. According to Microsoft's data, the median amount of time since the last Office update was an amazing 5.6 years, compared to just 1.2 years since the last Windows update.

"Users can keep Windows rigorously up to date and still face increased risk from exploits unless they also update their other programs regularly," Microsoft warned.

Wolfgang Kandek, the chief technology officer at security vendor Qualys, echoed Microsoft's take on Office patching patterns. "We see the same in our data," Kandek said. "People just don't patch Office, and when they do, they patch it much slower than Windows."

That especially holds true in the enterprise. "This is a major security hole in the enterprise," Kandek said. "IT admins are not focusing on Office as they are on Windows. They do what's required of them," he continued, hinting that they often do little more than that. "Windows' security has a high profile, and so they're patching Windows. I don't think they're looking at Office, to tell you the truth."

Qualys obtains its data from PCs that it manages for its clients, most of which are companies.

One way to stay up-to-date without patching every month is to apply the infrequent service packs that Microsoft issues for Office. "If the Office 2003 RTM users in the sample had installed SP3 [Service Pack 3] and no other security updates, they would have been protected against 98% of observed attacks," Microsoft said. "Likewise, Office 2007 RTM users would have been protected from 99% of attacks by installing SP2."