A new Sophos report on vulnerabilities in Microsoft Office reveals some of the underlying business behind trying to infect computers.
We often talk about hackers making special documents or files then trying to trick you into opening those files and infecting your computer. The term ‘hackers’ is misleading because it makes it seem like there’s just a few people huddled over computers.
While there are ‘traditional’ hackers, a lot of virus infection is run by shady and unscrupulous businesses. Sophos calls them ‘criminal groups’ which is correct but like many large criminal groups they are businesses too.
They want to encrypt your documents and demand money for the key to unlock ‘Ransomware’, spy on your computer and documents for identity theft or turn your computer into a ‘bot’ to infect or attack other computers. A lot of that is done by taking advantage of security gaps in Microsoft Office and it’s been that way for many years.
Exploit Kits
These businesses don’t discover security holes in Office, they get ‘Exploit Kits’ which have done all the hard work. With an exploit kit, they can make emails and documents to try infecting the unwary.
That explains why some old and well known exploits like CVE-2012-0158 from 2012 was regularly used even this year. That hack used ActiveX controls in Office documents and RTF files to infect computers. The security bug in Office was dealt with by Microsoft back in 2012.
The exploit kits have now been upgraded to take advantage of newer exploits. The current ‘exploit du jour’ is known as CVE-2015-1641 which uses an RTF file to corrupt the memory used by Office and run nasty code. This security hole was fixed by Microsoft over a year ago.
What this means to you
For heavens sake, keep your Office and Windows up to date with security patches. Happily that’s quite easy these days with automatic downloads and updates.
We have concerns about auto-updating Office. There’s been too many cases of the cure (a patch from Microsoft) being worse that the disease. It would be better if security updates were not ‘mixed’ with feature updates especially for Office for Windows/Mac ‘click to run’ customers (Office 365).
All up, you’re much better off keeping your Office and Windows updated via the automatic system.
