Flaw finders lay siege to Microsoft Office
'These guys are using fuzzing tools and producing a large number of bugs'
For most of the summer, Microsoft's Office product teams have had little time for development. Responding to a steady influx of flaws in the company's Office productivity suite has occupied many of Microsoft's programmers since late 2005. So far this year, the software giant has detailed at least 24 Office flaws found by outside researchers in its monthly bulletins, six times the number of Office flaws found in all of 2005. The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
The extraordinary jump in the number of flaws discovered by researchers in the components of Office has worried system administrators and forced Microsoft to spend development time on fixing the issues.
"When our security process gets activated, the application team is essentially ours," said Stephen Toulouse, security program manager for Microsoft's Security Response Center (MSRC). "It is not just that they are on-call, but they are working around the clock on response and updates."
The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.
The focus on Office flaws is a microcosm of the overall shift among vulnerability researchers from network service and server flaws to the application flaws that can be exploited to compromise a user's PC. Browsers, of course, are a popular target, but vulnerabilities have also been found in music-player software, image formats, the Macromedia Flash and Shockwave, e-mail readers and desktop security software.
"Nobody, I think, a year and a half ago would have thought that iTunes would have been a threat," Microsoft's Toulouse said.
Microsoft frequently sees such shifts in what vulnerability researchers find interesting, according to Toulouse. Yet, finding out what attracts researchers is more difficult, he said.
The initial signs of interest in Microsoft Office appeared last December, when one researcher attempted to auction off a vulnerability in Excel, only to have the high-profile auction canceled by eBay. Microsoft released its first major round of fixes for Office about four months later, approximately the average time that the software giant takes to patch flaws.
After that, a trickle turned into a flood.
"It's like someone opened the door and everyone wants to be in the same room," said Rohit Dhamankar, manager of security research for TippingPoint, a division of 3Com. "Once someone says, 'Look, this is an avenue of attack,' people from all over the world start concentrating on it."
TippingPoint, through its Zero-Day Initiative, has notified Microsoft of at least two flaws in Office discovered by independent researchers and patched by the software giant this year. TippingPoint's ZDI pays researchers a bounty for finding software flaws in common applications, a program that has caused some controversy.
While a vulnerability in a remote network service could be exploited to create a worm and tends to worry system administrators more, the rash of attacks leveraging the Office vulnerabilities to compromise specific companies underscores the seriousness of the current threat.
A limited number of companies have been targeted by Trojan horse Word documents, Excel spreadsheets, and PowerPoint presentations containing code to exploit previously unknown flaws within Office. The attacks appear to continue a trend of targeted espionage coming from within China. While security experts are careful to point out that the attacks may just be entering the U.S. from a compromised Chinese server, the continuing attacks from the same IP address space increasingly make that unlikely.
Not only are the attacks coming from China, but Chinese hacker clubs appear to be showing the lion's share of interest in finding flaws in Office, according to security experts. These groups are focused on using flaw information for financial gain, said Marcus Sachs, director of the SANS Internet Storm Center and the deputy director of the computer science laboratory at SRI International.
"My conclusion is the source of most of this trouble is coming out of China," Sachs said. "I think the technicians who are finding the flaws are selling the method of access to the intelligence or espionage community."
The hacker groups appear to be using data-fuzzing techniques to find flaws in Excel and other Office applications, agreed David Cole, director for Symantec's Security Response group. (SecurityFocus is owned by Symantec.)
"Given the number of Office flaws, it really feels like someone is fuzzing Microsoft Office and creating malicious files with the results," Cole said. "Someone is adamant about finding this stuff."
Of the public flaws detailed by Microsoft in July, at least four appear to have come from Chinese researchers. Other flaws were found as part of a vulnerability bounty program, so the sources of those issues are unknown. In total, at least seven of the last seventeen flaws appear to come from efforts by Chinese researchers.
"This is reminiscent of a few years ago when Russian (researchers) were doing stuff using issues in IIS and browser helper objects," ISC's Sachs said.
While Office files require some user interaction to compromise a victim's system, most workers are now accustomed to receiving such files, especially if attached to an e-mail that appears to be genuine, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.
"First and foremost, it is the easiest way to get through the most obvious barriers to entry in a corporate network: the firewall and antivirus," Hyppönen said. "If you try to use other executable code, the firewall or antivirus software will stop you. It is much easier to get in to reach the desktop if the document you are sending is an Excel file or a PowerPoint file or a Word file."
Hyppönen expects the attacks to continue, driven by a readily available source of flaws generated by fuzzing tools.
In fact, fuzzing tools appear to be the source of the deluge of Office flaws.
Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones.
Fuzzers automate the process of trying to break an application by sending it unexpected data. Given a set of rules for constructing a file or an online form, a fuzzer will create every conceivable variation. Increasingly, vulnerability researchers and hackers are turning to tools to automate the discovery of flaws. For example, Next-Generation Security Software, a U.K. based technology consultancy, used a homegrown data-fuzzing tool to find the recent flaw fixed by Microsoft in the way Excel handles LABEL record files.
"Fuzzing and understanding file formats is the way that a lot of people are progressing along," said Sherief Hammad, founding director of NGSSoftware. "It is pretty easily, programmatically, to build up a file with malformed input. Sometimes that is a better way to analyze program flaws."
In July, security researcher HD Moore promised to release a browser bug every day of the month, highlighting the utility of data-fuzzing tools, but also the threat to software companies and their customers of falling behind the attackers in using such tools.
"Just like Moore is putting out a bug a day, these guys are using fuzzing tools and producing a large number of bugs," ISC's Sachs said.
Between Moore's focus on Internet Explorer flaws and the automated search for Office flaws, Microsoft's programmers have their work cut out for them, and system administrators should expect more fixes for software flaws from Microsoft. NGSSoftware, at least, has found two more vulnerabilities and reported them to Microsoft. In addition, the latest targeted Trojan horse attack uses a vulnerability in PowerPoint that the software giant still has to fix.
Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint's Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft's Office, so their efforts to date have been limited.
"What you are seeing right now is just investigation into one part of the file format, and people have a lot more records to look at," TippingPoint's Dhamankar said.
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus