Kaspersky has recently published information on what their security products are observing in their clients systems – and the dramatic rise of MS Office as a malware target.
In 2016 MS Office was the target of 16% of attacks, behind Android at 19% and web browsers who were the dominant target with 45% of all attacked users.
By the end of 2018 this had dramatically changed with MS Office now the target of 70% of attacks according to Kaspersky’s telemetry. Symantec reported a similarly dramatic growth in MS Office malware discovered in email attachments earlier this year.
Kaspersky attribute this rapid growth to the publication of a number of zero-day exploits in MS Office in early 2018 that were particularly easy for malware authors to exploit. The ease of exploitation results in rapid response from the criminal underworld. For example, CVE-2017-11882 which was a vulnerability in the Equation Editor component of MS Office was the subject of a significant spam campaign within 24 hours of publication. In fact that CVE and the related CVE-2018-0802 are the most exploited vulnerabilities in MS Office according to Kaspersky’s data.
MS Office is a large family of products and related components that together present a significant attack surface. Although the core products (Word, Excel and PowerPoint) have evolved and improved their security in recent years there are a number of shared components that, for compatibility reasons, have not evolved as rapidly. These include elements such as the Equation Editor and the VB Script engine. The vast majority of vulnerabilities are found in these shared components which are using much older code bases that do not benefit from modern secure coding practices.
Email is the primary attack vector against most organisations and Security Managers are advised to invest in effective security awareness training so business users are wise to the risks of opening unexpected email attachments which could contain malware. Network segmentation which is validated through penetration testing can help contain the spread of malware which does gain access to your network.