More than half of the attacks against Microsoft Office applications during the first six months of 2009 were against applications that had not been patched in more than five years. In its semi-annual Security Intelligence Report, a six-month review of malware and attack trends released Monday, Microsoft found that 55.5 percent of the attacks being thrown against Office applications such as Word, Excel and PowerPoint were trying to exploit installations that hadn’t been updated at all since at least June 2004.
“Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003,” Microsoft said in the report. “Users who do not keep both their Office program installations and Windows operating systems up to date with service packs and security updates are at increased risk of attack.”
The data, which the company collects from millions of Windows machines around the world, also showed that the owners of these PCs were much more likely to have updated the operating system itself in that time frame, while ignoring the Office applications.
Given the current trend toward attackers targeting applications at a much higher rate than the operating system, this is a troubling finding. Microsoft also found that the vulnerabilities that attackers are targeting in the Office applications are quite old. More than half of the attacks targeted vulnerabilities that were patched in 2006.
The most significant of these is the infamous MS06-027 vulnerability, a remote-code execution flaw in Microsoft Word, which the company patched in June 2006. The vulnerability was disclosed publicly before a patch was available and at the time of the patch release, there were active exploits against the flaw. That was nearly three and a half years ago.