Over the past few years there has been a lot of concern about “advanced persistent threat” and targeted attacks such as “spear-phishing” and “whaling”. In my discussions with security professionals in different parts of the world I have encountered many different views on the risks associated with these attacks, ranging from disbelief that they actually happen to the belief that every email with an attachment contains an exploit.
The Microsoft Security Engineering Center (MSEC) studies such attacks looking for ways to mitigate the threats to current products, such as Microsoft Office, and help engineer mitigations into future products currently under development. We have published data and insights on some of the methods attackers use to perform targeted attacks, in past volumes of the Microsoft Security Intelligence Report (SIR).
For example, in SIR volume 8 we published a study the MSEC did on document file format exploits. I want to highlight this study here because I think it helps add a little context to the topic of targeted attacks and provides actionable guidance to help manage some of the associated risks.
Document File Format Exploits
Increasingly, attackers are using common file formats as transmission vectors for exploits. Most modern e-mail and instant messaging programs are configured to block the transmission of potentially dangerous files by extension, such as .exe, .com, and .scr, which have historically been misused to transmit malware. However, these same programs typically permit the transmission of many popular file formats, like .doc, .pdf, .ppt, and .xls. These formats are used legitimately by many people every day to share information and get work done, so blocking them is often not practical. This has made them an attractive target for exploitation.
To assess the use of Microsoft Office system file formats as an attack vector, Microsoft analyzed a sample of several hundred files that were used for successful attacks in 2H09 (the second half of 2009). The data set was taken from submissions of malicious code sent to Microsoft from customers worldwide.
All nine of these vulnerabilities had security updates available at the time of attack. The affected users were exposed because they had not applied the updates. Office 2000, Office XP, Office 2003, and the 2007 Microsoft Office system were each affected by at least one of the nine vulnerabilities.
Most of the vulnerabilities exploited in the data sample were several years old, with a third of them first identified in 2006.
Users who do not keep their Office program installations up to date with service packs and security updates are at increased risk of attack.
The key things to take away from this study are:
- Once attackers figure out how to exploit a document parser vulnerability, they will try to use that exploit for years to come.
- Newer is better: running the latest version of document parsers and the latest service pack is a very effective mitigation against these types of attacks.
- Keep all of your software up to date including document parsers such as Microsoft Office, Adobe Acrobat, Adobe Reader, and others.
- Use Microsoft Update to keep your Windows based systems up to date, instead of Windows Update. Microsoft Update will help keep all of your Microsoft software updated including Windows operating systems and Microsoft Office, where Windows Update only keeps Windows operating systems up to date.
- If you haven’t updated the document parsers you have installed on your systems, you should give serious consideration to doing so.
- Don’t open email attachments or documents hosted on the Internet if you don’t know and trust their source.
As a former Microsoft Systems Management Server (SMS) admin, I can tell you that patching isn't easy as it sounds and it isn't as flashy as some other threat mitigation processes....but it is critically important for organizations to have a patch process in place - it is truly the last line of defense.
In today's threat landscape, patching just IE isn't enough anymore. You have to patch OS, browser, browser plug-ins and other programs that are being used in targeted attacks (like Office) against employee endpoints.
In large enterprises, the 'patchable' software surface can be daunting to patch management administrators. Combine that feeling with the reality that many employees have the ability to install whatever they want on my corporate endpoints (due to admin rights and/or a less managed endpoint posture) and you have a patch management nightmare that seems impossible.
So what can you do?
Use threat and exploit intelligence to focus your efforts on the vulnerabilities that you know are being exploited. Patch those now...and use that protection space generated by those efforts to evaluate your specific environment and identify the next subset of programs which should be patched - using a risk-based approach.