Since my last update, yet another Office document related attack has been announced by Microsoft. Microsoft security advisory 932553 details an arbitrary code exploit affecting all versions of Office for Windows and Mac except for Office 2007 for Windows. This is another zero-day exploit. These frequent 0-day Office document exploits frequently make me ponder what can be done to mitigate our risk until Microsoft issues the patch. Assuming a migration away from Office isn’t an option – which isn’t for most of us. After a word from the people who made this issue possible, here are 3 proactive steps you can take to mitigate these very real risks.
1. Cover your attack vectors with multi antivirus engines. Since these are document based exploits, AV software is in a perfect position to catch them. In talking to several different antivirus vendors, it’s clear that while these document related exploits aren’t viruses per se, the AV community takes them seriously and quickly incorporates signature updates to detect them. Dave Cole, Director of Symantec Security Response, explained that some exploits can be detected whether they are coupled with a known malware or not. Others exploits don’t have an easily recognizable signature and AV engines can only catch instances of the exploit embedded in a known virus, Trojan or worm. Information sharing between AV vendors is reportedly good and in general vendors say Microsoft does a good job sharing information about new exploits – but that there is still room for improvement. Bottom line: AV is more important than ever.
2. Upgrading Office and Windows costs money in terms of license and implementation work but some of that cost is definitely offset by exposure to fewer vulnerabilities. The last vulnerabilities over the last few years has born this out with many exploits consistently getting a lower severity or not being a factor at all for shops running Office 2003 and XP with the latest service pack. Yet again, Vista and Office 2007 aren’t showing up on security bulletins. They will in time but by then a new update or version will be out. Everyone upgrades soon than later. Upgrading sooner means fewer vulnerabilities.
3. The common workaround offered in these Office document vulnerabilities is don’t open unsolicited attachments from known or unknown senders. At first blush, my response to that is – “yeah right, not much of a workaround”. That means depending on losers (ahem – users) to modify their behavior and what about legitimate attachments that happen to be infected. But there are no total solutions out there. I also have to admit that you can often recognize malicious emails that make it through your AV software because there’s something “just not right” about the wording, sender or something else about the message. Educating your users on the danger of email attachments and sensitizing them weird or unexpected emails pays off both in terms of malicious documents as well as phishing attacks.
Until next time, keep mitigating those risks.
