Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone's favourite Microsoft suite – Office.
"In the past few months, MS Office... became the most targeted platform," the firm said in a blog post. It produced a graph showing that between Q4 2016 and Q4 2018, Office-targeting attacks rose from 16 per cent of total Kaspersky detections to more than two-thirds.
The outfit also reported a switch away from ne'er-do-wells exploiting web-based vulns. Over the same period, browser-targeting attacks shrank from 45 per cent to just 14 per cent of the total seen by Kaspersky.
If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patchingREAD MORE
"Malware authors prefer simple, logical bugs. That is why the equation editor vulnerabilities CVE-2017-11882 and CVE-2018-0802 are now the most exploited bugs in MS Office. Simply put, they are reliable and work in every version of Word released in the past 17 years," Kaspersky commented. Rival infosec unit FireEye also noticed the 2017 CVE being thoroughly abused back in mid-2018, tending to correlate Kaspersky's findings. Worryingly, the 2018 CVE mentioned by Kaspersky was patched in January that year, suggesting user and/or sysadmin slackness has a part to play in the popularity of these particular problems.
There's also, as Kaspersky pointed out, CVE-2018-8174 – the infamous Windows VBscript engine vuln which Microsoft said it patched, only for world+dog to discover that they hadn't. As we reported at the time, this was "a use-after-free() vulnerability in the scripting engine that could be exploited by a booby-trapped web page, when opened with Internet Explorer, or a malicious document, when opened by Office, to execute arbitrary devilish code with the current user's rights".
Kaspersky suggested that one of the main reasons such vulns still exist is Microsoft's not unreasonable insistence on maintaining backward compatibility with Stone Age versions of Office from the turn of the millennium, which means retaining functionality that would otherwise long have been consigned to the recycling bin.
Even so, reporting these vulns brings an all-too-obvious flaw to light: "Once a technical report for a vulnerability goes public, an exploit for it appears on the dark market in a matter of days. Bugs themselves have become much less complex, and sometimes a detailed write-up is all a cybercriminal needs to build a working exploit."
Short of the usual "keep everything patched" advice, or doing something left-field like dumping Office for open-source software, there's not a whole lot Average Joe can do.
Even patching immediately comes with its own set of potentially server-killing pitfalls, as Sophos's ongoing Microsoft horror revealed. A Sophos spokeswoman told The Register that, as of this morning, they had no update for the Windows Update problem. ®