Microsoft Office vulnerabilities ‘targeted in 70% of attacks’

Microsoft Office vulnerabilities 'targeted in 70% of attacks'

Hackers are increasingly looking to exploit vulnerabilities in Microsoft Office's suite of applications, with the proportion of attacks targeting the software increasing fourfold in the last two years.

This is according to new data from Kaspersky Lab, which found that 70 per cent of attacks it detected in the final quarter of 2018 were looking to take advantage of flaws in Office. 

By comparison, just 16 per cent of attacks in Q4 of 2016 were focused on this area. Kaspersky said one reason for this growth in popularity is that an entire cyber crime ecosystem has built up around the technology, and once a vulnerability becomes known, exploits for it can appear for sale on the dark web within days, making it easier for malware distributors to target users.

"Bugs themselves have become much less complex, and sometimes a detailed write-up is all a cybercriminal needs to build a working exploit," the company stated.

Kaspersky noted, however, that the majority of exploits are not aimed at Office programs themselves, but rather vulnerabilities that exist in related components that come as part of the Office package.

For instance, two of the most exploited vulnerabilities highlighted are targeted at Office's legacy Equation Editor component.

"Malware authors prefer simple, logical bugs," the company said. "That is why the equation editor vulnerabilities CVE-2017-11882 and CVE-2018-0802 are now the most exploited bugs in MS Office. Simply put, they are reliable and work in every version of Word released in the past 17 years."

Therefore, not all of the vulnerabilities used will directly impact Office tools, but simply exploit files that are used within the suite's applications.

Kaspersky's findings have also been backed up by recent research from security firm Recorded Future. In its latest vulnerability report, the company found eight out of the top ten vulnerabilities seen in 2018 were targeted at Microsoft products, six of which are either related to direct flaws in Office, or are vulnerabilities that are exploitable via Office files.