Document shell code attacks loom large

Attacks that utilize vulnerabilities in popular document file formats are becoming popular

Targeted attacks that utilize vulnerabilities in popular document file formats and execute via hard-to-find shell code are becoming an increasingly popular menace, according to researchers at IBM's Internet Security Systems division.

Experts working with the ISS X-Force group said that they've seen a rapid increase in the volume and variety of shell-code execution attacks leveled at their customers over the last 12 months.

Among the types of files most frequently assailed in the attacks are the most common types of documents passed around many organizations today, including Microsoft Word, Excel and PowerPoint formats, as well as Adobe PDF files.

Many times, the infected documents are being distributed inside specific organizations by hackers who disguise the threats as legitimate files being disseminated within a business via e-mail. Unlike many Web-based threats, the seemingly-innocuous documents typically give no warning that they actually carry malware code.

Since the threats are often sent from spoofed e-mail addresses that appear trustworthy, and live inside documents that haven't been tabbed with the same security concerns as Web-based applications in recent years, end users are falling for the attacks in large numbers, researchers at the Atlanta-based ISS division contend.

"There are many reasons why these attacks are becoming so prevalent, but primarily it's because it's an attractive method from a crimeware perspective, with a lot of potential for social engineering," said Holly Stewart, product manager with X-Force Threat Analysis Service.

"With every new file format vulnerability that's released, we see huge uptake on the part of the malware community," she said. "It often takes the software vendors a long time to issue security patches, and there are also many low-lying attacks where the vulnerabilities haven't even been disclosed yet."

One of the best examples of such an attack was a spear phishing scheme carried out against workers at the United States Department of Defense last year that was reported in late 2006. Through the attack, specific Defense Department workers, including members of all four armed services, were sent e-mails from spoofed addresses that carried infected PowerPoint slides.

In Oct. 2006, the Defense Security Service (DSS), which manages civilian contractor's access to DoD infrastructure, warned that tens of thousands of employees worldwide had received the infected attachments, with a "significant number of computers" likely compromised by the attack.

Other more recent attacks observed by ISS among its customer base involved high-profile Windows vulnerabilities including the recently-patched animated cursor (.ANI) flaw and the Vector Markup Language (VML) glitch. Critical vulnerabilities in Adobe's Acrobat software have also proved fertile ground for hackers, Stewart said.

"File format vulnerabilities weren't being researched by hackers several years ago, but people figured out that this was an easy way to create new attacks that might so they've been using fuzzing technologies to find holes," Stewart said. "We're also seeing the malware writers come up with a large number of variants on their attacks very quickly, sometimes at a rate of one new attack per hour."

ISS maintains that its customers have been protected from the shell-code level attacks based on its products' heuristic behavioral scanning technologies, but contends that most anti-virus applications don't look for the attacks, and that intrusion protection systems (IPS) will miss many variants because the types of documents being used are harder to scan for potential threats.

At the heart of the shell-code exploit problem is a lack of ability for major software vendors such as Microsoft and Adobe to patch their products quickly, said Kris Lamb, director of X-Force, which provides threat intelligence used in ISS security products and services.

There are currently a trio of un-patched Word vulnerabilities, among others, that are allowing hackers to continue to carry out their campaigns with success, he said.

"For whatever reason, with file format vulnerabilities it takes a lot longer for the vendors to provide a patch, or the patch isn't readily available," Lamb said. "I'm not sure if this is a function of the process of triaging file format issues, or whether the issues are so prolific and mainstream, and so many people use the affected products, that they're leery to encourage people to reduce functionality for the sake of making them more mature."

In a nod to the challenges faced by software makers in addressing the problem, Michael Howard, program manager on Redmond, Wash.-based Microsoft's security team and author of a book on the company's Security Development Lifecycle (SDL) process, recently posted a blog to the company's Web site that cited some problems that allowed for the .ANI flaw to get out.

Among the measures the company is considering to improve its vulnerability testing process is to "rethink" some of the heuristics tools its uses to search for potential issues, Howard said.

Many security researchers, particularly white hat hackers, have criticized major software vendors including Microsoft for failing to do a better job of patching product security flaws more quickly, but Lamb said he doesn't think the problem exists because the developers aren't trying hard enough.

The expert said that software makers are simply overwhelmed by the variety and scope of security issues they're being presented with these days.

"Most large vendors have done a good job over last two or three years of improving their ability to respond and collaborating with other providers to address problems fast, I don't think the issue is a lack of effort," Lamb said. "However, with the speed with which these applications-level problems are being exploited, it's clear that they need to find ways to further improve reaction times."

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

InfoWorld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?