back to article Kaspersky updates its cybercrook look book: Smashing Office is hot, browser vulns are not

Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone's favourite Microsoft suite – Office. "In the past few months, MS Office... became the most targeted platform," the firm said in a blog post. It produced a graph showing that between Q4 2016 and …

  1. Paul Crawford Silver badge

    Worryingly, the 2018 CVE mentioned by Kaspersky was patched in January that year, suggesting user and/or sysadmin slackness has a part to play in the popularity of these particular problems.

    Of course the MS "patch" for the equation editor simply breaks it - they DID NOT FIX IT. Apparently they don't have to code or license to do so! https://www.theregister.co.uk/2018/01/16/microsoft_equation_editor_patched/

    So if you have many documents using the old-style equation editor and don't want masses of pointless work trying to re-draw them (probably introducing errors) in the somewhat more shitty new-style MS equation editor, you simply can't plug that hole.

    1. Anonymous Coward
      Anonymous Coward

      Or you can teach users not to open random documents from the Internet and the bug doesn't need patching.

      Yeah I know, it's impossible to do.

      1. Joe Montana

        User behaviour

        If you teach users to do that, then they won't be able to get their work done because all manner of organisations routinely send documents around in msoffice formats. Once people stop doing that, then you can teach them not to open random documents.

  2. lglethal Silver badge
    Go

    Just curious

    When they say ".. browser-targeting attacks shrank from 45 per cent to just 14 per cent of the total seen by Kaspersky." do they mean that they saw a decrease in the use of these attacks or just that the sheer number of new office based attacks brought the percentage down?

    I mean if there are 100 attacks last month and 45 of them were browser based, but this month there was suddenly 500 attacks of which 70 were browser based, that doesnt really mean that browswer based attacks are on the way out, just that the office based attacks really kicked off.

    Just curious...

  3. Anonymous Coward
    Anonymous Coward

    If the cause of the prominence of the usage of those flaws is caused by not patching software, how does using open source software fixes anything? Be it Windows, Office, Linux, LibreOffice... They all need patching.

    What would be ideal is to separate completely the Internet browser with the rest of of the device. And then begin to teach common sense to people so they don't go ahead and open whatever file they got from a suspicious e-mail or that an Adode Flash Prayer webpage told them to open.

    1. matt 83

      Most Linux distros come with a pretty comprehensive patching/update system so you can just go to one place to update all your software rather than having a festering swamp of custom software updaters all trying to do their own thing that you have with Windows.

      It would be ideal if MS provided a decent update mechanism for software you install on your Windows computer... You install your software, then Windows keeps it up to date for you by downloading new versions direct from the software supplier without having to use some kind of app store.

      It's not rocket science. The software installer would just need to register a URL to check for updates. Some windows service would then periodically check that URL and download/install files as appropriate. You could even have a nice "Settings" page where the status of all the updates is shown along with an option to disable a specific item. Windows could even give you an alert when it see you're using dangerously out of date software.

      1. John Brown (no body) Silver badge

        MS would love that. The other software suppliers, not so much. MS would get more data on peoples installs and updates habits while the other suppliers lose the chance to upsell.

        Having said that, are MS still pushing the Windows Store? Is there anything in it?

        1. Joe Montana

          If done the way linux distros do it, which lets users add their own custom repos then no, MS would not get any data from users.

          Which is why they don't do it the way linux distros do, they try to push their own store where instead of letting users add their own repos, any publisher has to go through microsoft giving them control and information - worse for users, worse for other publishers.

  4. a_yank_lurker Silver badge

    Orifice Strikes Back

    Backwards compatibility is nice but how many actually open 20 year old orifice documents on any kind of regular basis? I think answer for most would be no. So blindly insisting that the current release of Orifice can readily open and edit these documents is foolish. I would think the primary reason for opening such an old document would be for historical context not to edit it. Slurp should think through their blind insistence because 5 users this year might need to actually edit a 20 year document.

    1. Jason Hindle

      Re: I occasionally open a document from 2005

      So almost 15. And I wish the person who wrote (and still refines) the software in question would update his bloody manual.

    2. Captain Scarlet Silver badge
      Unhappy

      Re: Orifice Strikes Back

      Loads, they tend to be forms written by someone 15 years ago and no-one in said departments can be arsed to re--write them.

  5. Anonymous Coward
    Linux

    MS Office most targeted application in the world?

    CVE-2018-8174 The infection chain consists of the following steps:

    • A victim receives a malicious Microsoft Word document.

    • After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.

    • The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.

    “CVE-2018-8174, that introduced a completely new attack vector. Zero-day exploit utilized a technique to load an Internet Explorer engine component right into the process context of MS Office and exploited an unpatched VBScript vulnerability without any user interaction.” ref

    “Microsoft Office is a hot target for attackers and will remain so. Attackers aim for the easiest targets, and legacy features will be abused.” ref

    Wha' ..

    I think the root of the problem is msOffice docs are compressed binary BLOBS, basically Windows executables ..

  6. Joe Montana

    Makes sense - monoculture

    Browsers have been less targeted ever since msie stopped holding 90+% market share... Now you have several browsers, and several different platforms that people commonly run them on so it's much harder to target.

    With msoffice however, you still have a 95+% target to shoot at. You used to be able to pretty much guarantee that your intended victim would be running msie, now you can almost guarantee they are running msoffice. If is no monoculture, attacks become much harder.

  7. An nonymous Cowerd

    In other Kaspersky news

    A large institution which banned ‘em , due to spying endemic in AV products, has revealed to MEPs, that there is zero documented spying

    According to zero day https://www.zdnet.com/article/eu-no-evidence-of-kaspersky-spying-despite-confirmed-malicious-classification/

  8. This post has been deleted by its author

  9. mhenriday
    Boffin

    Go Left, young man, go Left !

    doing something left-field like dumping Office for open-source software
    With apologies to Horace Greely....

    Henri

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019