|
|
2/11/07
Posted by Dave
5 Star Support Security Specialist
The latest vulnerability recently announced for Microsoft Office concerns an
attack vector through Microsoft Excel. This vulnerability is in addition to
the four other exploits for Microsoft Office where the attack vector is
through Word. All of these vulnerabilities are being actively exploited as
of this writing. The latest vulnerability for Excel is addressed by
Microsoft in Security Advisory 932553 and is included below for your
reference. All of these vulnerabilities are unpatched as of this writing.
There has been a trend from malware writers for over a year now in which
Microsoft Office is the target instead of Microsoft Windows, the operating
system that runs your computer. There has been a new vulnerability for
Microsoft Office announced at least once monthly since January 2006 for all
but one month. The trend continues today. Initially, reports of these
vulnerabilities always seem to point to Office 2000, which is probably the
widest used version of Office, especially in business use. It is clear to
me, after further investigation however, that most of these vulnerabilities
also affect all versions of Microsoft Office from Office 97 to at least
Office 2003. In fact, if you read the Microsoft advisory I have included at
the bottom of this paper, you will find that although security vendors have
announced this vulnerability as affecting Microsoft Office 2000, it actually
affects Office97, Office 2000, Office XP, Office 2003, and Office 2004 for
Mac as well. That is a pretty big target.
It is also clear that these vulnerabilities are not easy for Microsoft to
patch, as almost all of the patches are not released until anywhere from
four to seven weeks after the vulnerability is announced. There was one case
in 2006 when Microsoft released an unusual out-of-cycle patch, but the patch
still took almost three weeks to create. Even though this is a record for
rapid response from any major software vendor, it still leaves users
unprotected for some time.
Even if you already are in the good habit of using Windows Update or
Microsoft Update (personally, I recommend Microsoft Update) on a monthly
basis, I strongly recommend you check Office Update monthly as well. This
will keep your version of Microsoft Office products up to date as well. Do
not simply trust Microsoft Update to do everything for you. As for me, I
never trust any program or site to do everything automatically for me. It’s
just begging for trouble because something was missed. Double check
everything yourself.
In order to help you remain protected, I have the following recommendations
that will help you avoid being taken advantage of by most of these
vulnerabilities, and they mostly involve simply getting into good habits
while using your computer.
Do not open any attachment from any source that you are not specifically
expecting.
If you get an attachment you did not know was coming and you want to open
it, check via email to be certain the sender sent it to you. This may seem
to be a waste of time, but I can assure you that it takes less time to do
this that it would to fix a compromised computer. Email addresses can be
easily spoofed, so you can receive an email from someone you know by address
that he or she did not actually send to you.
When sending email with attachments, get into good habits for both yourself
and your contacts. Send an email first to indicate you are sending a
following email that contains an attachment, and specify what kind of file
attachment it is. If you do this, the above verification step would not be
necessary. Remember that an executable file can be embedded in almost any
kind of attachment. Consider using plain text (.txt) for documents instead.
Consider sending, opening, and reading all email in plain text form. This is
much safer than HTML because a file cannot be executed or run from within
plain text.
Before opening an attachment, get in the habit of scanning it first with
your anti-virus security software.
Both you and your frequent contacts should use a good anti-virus product
that scans all email, both incoming and outgoing. AVG Anti-Virus is a good
example of this, and it is a feature of all versions, including the free
version.
Be very careful when clicking on a link to a file or document from a web
page, especially if it is on a site you are not familiar with. If you are
not sure, just don’t click on the link. Many sites have fallen prey to a
cracker that has embedded his own desired link address within a web page, or
changed the location the link points to without changing the name of the
link.
In addition to Windows, be sure to check the Microsoft Office Update site
monthly. If you need the address, it is located here:
http://office.microsoft.com/en-us/downloads/maincatalog.aspx
Once installed, it cannot be removed. Simply download and follow the
installation instructions. Microsoft describes this tool as follows:
Microsoft has released a tool that will require confirmation before opening
Office 97 and Office 2000 documents (Word, Excel, PowerPoint, or Access)
launched from within Internet Explorer. By default, Internet Explorer issues
a security warning before launching unknown applications and files, allowing
users to choose not to open them. This tool gives users the option to treat
Office documents in the same way, preventing them from automatically opening
when a user clicks on a link to an Office document, or browses to a Web page
that hosts an Office document.
Try using my recommendations and install the new tool from Microsoft for
Office and I think you will find that you and your computer will remain much
safer and more secure. If you would like further information, Microsoft
Security Advisory 932553 is included below. I think you will find that
Microsoft’s recommendations are similar to mine, but don’t go as far.
Until next time here on 5 Star Support, happy computing to all.
Dave
[Top]
|
|
