Three-year-old Office patch stymies most attacks

Microsoft adds to the problem by not offering Office patches through the popular Windows Update service, expert says

Users running Microsoft Office can stump nearly three-fourths of all known attacks targeting the suite by applying just one three-year-old patch, according to recently published data.

Almost three-out-of four attacks -- 71% of all those spotted in the first half of 2009 -- exploited a vulnerability in Word that was patched in June 2006, Microsoft said in its bi-annual security intelligence report, released Monday. The flaw was fixed in the MS06-027 security update issued.

The second-most popular exploit, with a 13% share, aimed at a bug that was quashed in March 2008, Microsoft said. The flaw was one of seven patched by the MS08-014 update.

The 2006 update patched Word 2000, Word 2002 and Word 2003, while the 2008 fix affected Excel 2000, Excel 2002, Excel 2003 and Excel 2007.

Microsoft made the point that patching Office was as important as keeping Windows up-to-date with security fixes. "The majority of Office attacks observed in [the first half of 2009], 55.5%, affected Office program installations that had last been updated between July 2003 and June 2004," the company said in its report. "Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003."

Unfortunately, users are far less likely to update Office than they are to patch Windows. According to Microsoft's data, the median amount of time since the last Office update was an amazing 5.6 years, compared to just 1.2 years since the last Windows update.

"Users can keep Windows rigorously up to date and still face increased risk from exploits unless they also update their other programs regularly," Microsoft warned.

Wolfgang Kandek, the chief technology officer at security vendor Qualys, echoed Microsoft's take on Office patching patterns. "We see the same in our data," Kandek said. "People just don't patch Office, and when they do, they patch it much slower than Windows."

That especially holds true in the enterprise. "This is a major security hole in the enterprise," Kandek said. "IT admins are not focusing on Office as they are on Windows. They do what's required of them," he continued, hinting that they often do little more than that. "Windows' security has a high profile, and so they're patching Windows. I don't think they're looking at Office, to tell you the truth."

Qualys obtains its data from PCs that it manages for its clients, most of which are companies.

One way to stay up-to-date without patching every month is to apply the infrequent service packs that Microsoft issues for Office. "If the Office 2003 RTM users in the sample had installed SP3 [Service Pack 3] and no other security updates, they would have been protected against 98% of observed attacks," Microsoft said. "Likewise, Office 2007 RTM users would have been protected from 99% of attacks by installing SP2."

Microsoft delivered Office 2003 SP3 in September 2007, fixing more than 450 bugs in the application suite, and adding other security measures, including file blocking of older formats, a move that confused users well into the following year.

Office 2007 SP2 hit the street in April 2009.

Nine out of 10 Office exploits in the first half of 2009 involved a Trojan downloader, or backdoor malware. "These kinds of threats allow attackers to access compromised systems later to install more malware," Microsoft said.

Microsoft urged Office customers to use the Microsoft Update service, a superset of the better-known Windows Update that pushes patches for Windows and Office.

Here, too, Kandek was stumped by Microsoft's practice of offering two separate update services.

"I'm not sure why that's the way they do it," he said, speaking of Microsoft's providing Office updates to consumers and small businesses only through Microsoft Update. "I don't see why they simply can't replace Windows Update with Microsoft Update, and patch everything."

Microsoft offers Office, as well as Windows patches, to businesses that use its Windows Server Update Services (WSUS) patch management system.

Office was last patched Oct. 13 when Microsoft unveiled a record number of security updates and fixed flaws.

The security intelligence report can be downloaded from Microsoft's site in PDF or XPS document formats.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon