Microsoft Office is increasingly a choice target for cybercriminals

Shawn Knight

TechSpot Staff
Staff member

Kaspersky at its recent Security Analyst Summit (SAS) shared a trend that surprised even its own researchers.

In the fourth quarter of 2016, cybercriminals largely favored web-based vulnerabilities that could be exploited via browser software. Just two years later in the fourth quarter of 2018, the security company found that Microsoft Office is now targeted in a whopping 70 percent of attacks.

Browsers accounted for 45 percent of attacks in 2016; now, that figure is down to just 14 percent.

Kaspersky noted that the turnaround time for exploiting a vulnerability has shortened substantially, adding that malware authors now prefer simple, logical bugs. This is evident by looking at the most exploited bugs in Office: equation editor vulnerabilities CVE-2017-11882 and CVE-2018-0802.

Simply put, they are reliable and work in every version of Word released in the past 17 years. And, most important, building an exploit for either one requires no advanced skills. That’s because the equation editor binary didn’t have any of the modern protections and mitigations you’d expect from an application in 2018.

The problem, Kaspersky said, is that Office’s attack surface is huge. What’s more, some of the decisions Microsoft made when creating Office now look flat out bad but changing them would “devastate backward compatibility.”

Threat intelligence company Recorded Future last month found that eight of the top 10 vulnerabilities in 2018 targeted Microsoft products.

Lead image courtesy dennizn via Shutterstock

Permalink to story.


Cycloid Torus

Stone age computing - click on the rock below..
Couldn't happen to nicer really... Microsoft is one of the most likely to do something (eventually). 70% of the huge steaming mass of nasty-izers focused in one place? I sure hope the 'honey pot' element of this phenomenon gets to be realized.
Go Mr Softeee, GO!!

Uncle Al

TS Evangelist
Since I moved to LibreOffice a few years back I never looked back. You would expect that the "mental giants" at Microsoft would have figured out years ago that a major change was needed. They could advertised to the public the change was coming in 24 months, more than adequate for people to bring their files up to date and why couldn't Microsoft, with all their power and all their coders not come up with a transition program that would convert old format files to the new one?

There is simply NO excuse, which is why I dumped them and I'm finding that a LOT of my clients are as well .....


TS Guru
The biggest change was browser vulnerability. That dropped 45 to 14% as IE users switched to Chrome, Firefox, or really any other browser than IE.


TS Evangelist
Good. Hopefully this spurs Microsoft into updating all the legacy code as they find vulnerabilities. Start with the equation editor cited in the example; give us a way to type in equations like you can with LaTeX.