It’s common knowledge that the last three years brought a huge number of critical vulnerabilities in Windows. Terms such as RPC DCOM, LSASS, WINS and PnP not only became topics of discussion for system administrators and programmers, but also caused headaches for virus analysts and real problems for rank and file users. Serious loopholes in Windows applications gave virus writers access to tens or hundreds of millions of computers around the world. And they didn’t hesitate to take advantage. These vulnerabilities effectively gave birth to such historic worms as Lovesan, Sasser and Mytob, not to mention hundreds of others which, although less well known to the general public, were actually no less of a threat.

Step by step, by autumn 2005, Microsoft had more or less managed to stem this flood of vulnerabilities. The active promotion of Service Pack 2 for Windows XP helped a great deal. Hackers then switched their attention from the main Windows modules to secondary ones. This was most successful in December 2005, when they managed to exploit a loophole in the parsing of WMF files. Another part of the hacking community focused on identifying security issues in antivirus solutions and networking equipment. And finally, at the end of spring/ beginning of summer 2006, MS Office, Microsoft’s second most important (and actually most profitable) product was targeted.

IT security experts had long ago highlighted security issues in the way which MS Office applications work with OLE files. In spite of the fact that this file format is relatively well documented, it remains, to a certain extent, a black box with a multitude of cells. There are too many critical areas and the interaction between OLE object fields is structured in too complex a way. In 2003, all of this led to the appearance of a critical vulnerability in MS Office documents (MS03-037). The vulnerability made it possible for random code to be executed if a specially crafted document was opened. For a long time this vulnerability was frequently exploited by a number of Chinese hacker groups, and there is reason to believe that these groups were involved in the events which started taking place in March 2006.

The MS06-012 vulnerability affected all MS Office products starting from the year 2000. This was the first warning bell which attracted the attention not only of Microsoft but also of many hackers, who started to intensively investigate the format of OLE documents. Unfortunately, it has to be admitted, that the hackers were more effective in their research than Microsoft. The loopholes detected in the last three months differed from each other only slightly. The same problem lay at the heart of all these vulnerabilities: incorrect checking of certain data in the OLE description. Microsoft restricted itself to releasing a limited patch, effectively a band-aid, which did not take into account the fact that surrounding fields in the files needed to be checked. The day after the patch was released information about a new vulnerability surfaced. It’s somewhat ironic that these multiple problems in MS Office, and in particular in Excel, came to light almost at the same time as Google launched its own spreadsheet program.

The information below, provided by US-CERT, shows the course of events

* 03/14/2006 Microsoft Office routing slip buffer overflow
* 03/14/2006 Microsoft Excel malformed record memory corruption vulnerability
* 03/14/2006 Microsoft Excel fails to properly perform range validation when parsing document files
* 03/14/2006 Microsoft Excel malformed graphic memory corruption vulnerability
* 03/14/2006 Microsoft Excel malformed description memory corruption vulnerability
* 03/14/2006 Microsoft Excel malformed parsing format file memory corruption vulnerability
* 05/19/2006 Microsoft Word object pointer memory corruption vulnerability
* 06/13/2006 Microsoft PowerPoint malformed record vulnerability
* 06/16/2006 Microsoft Excel vulnerability

The vulnerability identified on the 19th of May was the main threat. The vulnerability was made public only once it was discovered that a Trojan program which exploited the vulnerability had been mass mailed using spammer technologies. This was the case where virus writers once again used a vulnerability which no one else had heard of - a so-called zero-day exploit. Such vulnerabilities are extremely dangerous because software developers have to spend time developing and releasing a patch, even though malicious code is already circulating and spreading on the Internet.

It took Microsoft almost a month to release patches for the MS06-027 (Word remote code execution) and MS06-028 (Powerpoint remote code execution) vulnerabilities. Users have of course become used to the fact that Microsoft sticks to its patch schedule with almost fanatical precision, releasing patches on the second Tuesday of every month. This might be reasonable if, two days after the patches were released on 13th June, an almost identical vulnerability had not been identified in MS Excel. It’s almost inexplicable that, when developing the patch, the developers did not check for the existence of a similar problem in Excel. In fact, it is inexplicable. The last third of June brought another two vulnerabilities in MS Office - Microsoft Windows Hyperlink Object Library Buffer Overflow and Microsoft Excel ‘Shockwave Flash Object’ Lets Remote Users Execute Code Automatically.

When Kaspersky Lab analysts researched the vulnerabilities, it became clear that the same problem lay at the bottom of them all. Microsoft should have checked all fields of OLE objects (of which there are more than 100) rather than just releasing separate patches for each individual loophole.

The fact that nearly all these vulnerabilities were initially identified by members of the black hat community, and used to spread malicious code, makes the situation all the more critical. Virus writers are currently a step ahead of the game, and are in an excellent position to release new, dangerous programs on the Internet.

Kaspersky Lab strongly urges all users and system administrators to implement and enforce a security policy relating to MS Office documents; not to open files which come from an unknown source; and to scan such files for malicious code. Naturally, where patches are available, they should be installed.