Document shell code attacks loom large

Attacks that utilize vulnerabilities in popular document file formats are becoming popular

Targeted attacks that utilize vulnerabilities in popular document file formats and execute via hard-to-find shell code are becoming an increasingly popular menace, according to researchers at IBM's Internet Security Systems division.

Experts working with the ISS X-Force group said that they've seen a rapid increase in the volume and variety of shell-code execution attacks leveled at their customers over the last 12 months.

Among the types of files most frequently assailed in the attacks are the most common types of documents passed around many organizations today, including Microsoft Word, Excel and PowerPoint formats, as well as Adobe PDF files.

Many times, the infected documents are being distributed inside specific organizations by hackers who disguise the threats as legitimate files being disseminated within a business via e-mail. Unlike many Web-based threats, the seemingly-innocuous documents typically give no warning that they actually carry malware code.

Since the threats are often sent from spoofed e-mail addresses that appear trustworthy, and live inside documents that haven't been tabbed with the same security concerns as Web-based applications in recent years, end users are falling for the attacks in large numbers, researchers at the Atlanta-based ISS division contend.

"There are many reasons why these attacks are becoming so prevalent, but primarily it's because it's an attractive method from a crimeware perspective, with a lot of potential for social engineering," said Holly Stewart, product manager with X-Force Threat Analysis Service.

"With every new file format vulnerability that's released, we see huge uptake on the part of the malware community," she said. "It often takes the software vendors a long time to issue security patches, and there are also many low-lying attacks where the vulnerabilities haven't even been disclosed yet."

One of the best examples of such an attack was a spear phishing scheme carried out against workers at the United States Department of Defense last year that was reported in late 2006. Through the attack, specific Defense Department workers, including members of all four armed services, were sent e-mails from spoofed addresses that carried infected PowerPoint slides.

In Oct. 2006, the Defense Security Service (DSS), which manages civilian contractor's access to DoD infrastructure, warned that tens of thousands of employees worldwide had received the infected attachments, with a "significant number of computers" likely compromised by the attack.

Other more recent attacks observed by ISS among its customer base involved high-profile Windows vulnerabilities including the recently-patched animated cursor (.ANI) flaw and the Vector Markup Language (VML) glitch. Critical vulnerabilities in Adobe's Acrobat software have also proved fertile ground for hackers, Stewart said.

"File format vulnerabilities weren't being researched by hackers several years ago, but people figured out that this was an easy way to create new attacks that might so they've been using fuzzing technologies to find holes," Stewart said. "We're also seeing the malware writers come up with a large number of variants on their attacks very quickly, sometimes at a rate of one new attack per hour."

ISS maintains that its customers have been protected from the shell-code level attacks based on its products' heuristic behavioral scanning technologies, but contends that most anti-virus applications don't look for the attacks, and that intrusion protection systems (IPS) will miss many variants because the types of documents being used are harder to scan for potential threats.

At the heart of the shell-code exploit problem is a lack of ability for major software vendors such as Microsoft and Adobe to patch their products quickly, said Kris Lamb, director of X-Force, which provides threat intelligence used in ISS security products and services.

There are currently a trio of un-patched Word vulnerabilities, among others, that are allowing hackers to continue to carry out their campaigns with success, he said.

"For whatever reason, with file format vulnerabilities it takes a lot longer for the vendors to provide a patch, or the patch isn't readily available," Lamb said. "I'm not sure if this is a function of the process of triaging file format issues, or whether the issues are so prolific and mainstream, and so many people use the affected products, that they're leery to encourage people to reduce functionality for the sake of making them more mature."

In a nod to the challenges faced by software makers in addressing the problem, Michael Howard, program manager on Redmond, Wash.-based Microsoft's security team and author of a book on the company's Security Development Lifecycle (SDL) process, recently posted a blog to the company's Web site that cited some problems that allowed for the .ANI flaw to get out.

Among the measures the company is considering to improve its vulnerability testing process is to "rethink" some of the heuristics tools its uses to search for potential issues, Howard said.

Many security researchers, particularly white hat hackers, have criticized major software vendors including Microsoft for failing to do a better job of patching product security flaws more quickly, but Lamb said he doesn't think the problem exists because the developers aren't trying hard enough.

The expert said that software makers are simply overwhelmed by the variety and scope of security issues they're being presented with these days.

"Most large vendors have done a good job over last two or three years of improving their ability to respond and collaborating with other providers to address problems fast, I don't think the issue is a lack of effort," Lamb said. "However, with the speed with which these applications-level problems are being exploited, it's clear that they need to find ways to further improve reaction times."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Hines

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?