All the latest UK technology news, reviews and analysis

Microsoft calls for Office attack victims to be more vigilant with security patches

21 May 2013
China flag

Microsoft has called on businesses to adopt a more proactive approach to its security updates, following the discovery of a campaign still infecting thousands of machines targeting an already patched Office vulnerability.

Security firm Trend Micro uncovered the campaign, codenamed Safe, targeting older versions of Microsoft Office on Friday. "The distribution mechanism the Safe campaign used involved spear-phishing emails that contain a malicious attachment," the report said.

"This technique, which is quite common for APT campaigns, encourages a recipient to open a malicious attachment by sending an email with contextually relevant content. We discovered several malicious documents that all exploited a Microsoft Office vulnerability (CVE-2012-0158). If opened with a version of Microsoft Word that is not up to date, a malicious payload is silently installed on the user's computer."

Microsoft said it is aware of the attack, confirming it has already fixed the vulnerability, meaning only customers that have failed to install the patch are at risk.

Microsoft Trustworthy Computing group manager Dustin Childs said: "Microsoft addressed this issue in April 2012 with Security Bulletin MS12-027 and we strongly encourage all customers ensure their systems are up to date with the latest Security Updates. Customers with automatic updates enabled do not need to take action, as those systems were automatically protected when we originally released the security update last year."

Even with the fix live, Trend Micro said the full extent of the campaign remains unknown although it has already linked several thousand IP addresses to it, indicating that its reach will be moderately far.

The report continued: "While we have yet to determine the campaign's total number of victims, it appears that nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to Safe. We also discovered that the average number of actual victims remained at 71 per day, with few if any changes from day to day.

"This indicates that the actual number of victims is far less than the number of unique IP addresses. Due to large concentrations of IP addresses within specific network blocks, it is likely that the number of victims is even smaller and that they have dynamically assigned IP addresses, which have been compromised for some time now. Investigating targeted campaigns involves more than simply collecting actionable indicators like malware samples and C&C server information."

The firm said it was able to take advantage of a mistake made by the hacker to discern some details about its origin, but warned against premature accusations that the Chinese government is involved.

"The author of the malware used in the campaign is probably a professional software developer who studied at a technical university in China. This individual appears to have repurposed legitimate source code from an internet services company in the same country for use as part of the campaign's C&C server code," the report said.

"While the information that we obtained suggested the identity of the malware author, we were not able to attribute the campaign operation to him. In fact, while we were able to identify the various IP addresses used by the operators, the geographic diversity of the proxy servers and VPNs made it difficult to determine their true origin."

The attack is one of many believed to have stemmed from China. Most recently The New York Times reported that a Chinese military unit believed to have hacked over 140 US businesses had resumed its harmful activities on Sunday.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Network Security Analyst - (CISCO, Security, Juniper)

Network Security Analyst - (CISCO, Security, Juniper...

It Support Technician (Windows, Help Desk, Customer Service)

It Support Technician (Windows, Help Desk, Customer Service...

Support Engineer - 1st line, Linux, Systems, Python, Support

Support Engineer - 1st line, Linux, Systems, Python...

C# Full Stack Developer (SQL, WCF, MVC, TDD, Middleware)

C# Full Stack Developer (SQL, WCF, MVC, TDD, Middleware...
To send to more than one email address, simply separate each address with a comma.