IT Jobs
Old Microsoft Office patch protects against most attacks
But Windows Update service should offer Office patches, expert says
By Gregg Keizer | Computerworld US
Published: 11:25 GMT, 05 November 09
Users running Microsoft Office can stump nearly three-fourths of all known attacks targeting the suite by applying just one three-year-old patch, according to recently published data.
Almost three-out-of four attacks - 71% of all those spotted in the first half of 2009 - exploited a vulnerability in Word that was patched in June 2006, Microsoft said in its bi-annual security intelligence report, released Monday. The flaw was fixed in the MS06-027 security update issued.
The second-most popular exploit, with a 13% share, aimed at a bug that was quashed in March 2008, Microsoft said. The flaw was one of seven patched by the MS08-014 update.
Another massive Windows security update due from Microsoft | Microsoft probing Windows 7 zero day bug | Microsoft Office beta leaks to torrent sites
The 2006 update patched Word 2000, Word 2002 and Word 2003, while the 2008 fix affected Excel 2000, Excel 2002, Excel 2003 and Excel 2007.
Microsoft made the point that patching Office was as important as keeping Windows up-to-date with security fixes. "The majority of Office attacks observed in [the first half of 2009], 55.5%, affected Office program installations that had last been updated between July 2003 and June 2004," the company said in its report. "Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003."
Unfortunately, users are far less likely to update Office than they are to patch Windows. According to Microsoft's data, the median amount of time since the last Office update was an amazing 5.6 years, compared to just 1.2 years since the last Windows update.
"Users can keep Windows rigorously up to date and still face increased risk from exploits unless they also update their other programs regularly," Microsoft warned.
Wolfgang Kandek, the chief technology officer at security vendor Qualys, echoed Microsoft's take on Office patching patterns. "We see the same in our data," Kandek said. "People just don't patch Office, and when they do, they patch it much slower than Windows."
That especially holds true in the enterprise. "This is a major security hole in the enterprise," Kandek said. "IT admins are not focusing on Office as they are on Windows. They do what's required of them," he continued, hinting that they often do little more than that. "Windows' security has a high profile, and so they're patching Windows. I don't think they're looking at Office, to tell you the truth."
Qualys obtains its data from PCs that it manages for its clients, most of which are companies.
.gif)
Add your commentComments
Heywood | Published: 15:47 GMT, 06 November 2009
Andy: If you are under enterprise control, then it's up to the enterprise IT to ensure you're patched. If they're not doing it, they should be fired. If you're not letting them do it, then you should be fired. :)
Andy | Published: 14:44 GMT, 06 November 2009
My Office Suite is an Enterprise release. The machine was given to me with a ghosted corporate image. I am prompted to point to the install files every time I try to patch, which I don't have access to. I work from home and can't access a folder with the files. Hence no updates.
Richard | Published: 12:48 GMT, 06 November 2009
"I don't see why they simply can't replace Windows Update with Microsoft Update, and patch everything." Given the uproar when they pushed out a patch to Windows Update to people who had turned it off, I hate to think what the response would be if they did this. Some people just don't want to have their vulnerabilities patched - maybe they're waiting to get hacked so they can sue Microsoft.