Want CNET to notify you of price drops and the latest stories?

Zero-day Wednesdays

Why are attacks via unfixed flaws coming out the day after Microsoft's Patch Tuesday? Think corporate espionage, CNET editor Robert Vamosi says.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
Robert Vamosi
4 min read
Somewhere--perhaps in the United States, but more likely, somewhere in China--a man walks out of a nondescript building, casts his eyes upon the urban landscape around him after spending an eight-hour day staring at a computer screen, and lights a cigarette.

He does not know his bosses by name or by face; he knows only that he is paid, and paid pretty well, for his research. Like a legitimate computer-security researcher, he uses automated testing tools against Microsoft Office software, probing for buffer overflows, pointer errors or negative integers in Word, Excel and PowerPoint. Unlike a legitimate security professional, he does not report what he finds to Microsoft.

Instead, either he or his bosses will use this information for corporate espionage, to create what's called a zero-day attack, using targeted Trojan horses that exploit an unpublished flaw. Worse, they'll wait until after Microsoft publishes its latest patches on the second Tuesday of the month. They'll release their attacks the day after, when everyone's distracted by the new patches--a day we'll call "Zero-day Wednesday."

Patch Tuesday under attack
Just a few years ago, Microsoft would, out of the blue, announce a handful of patches, some critical, some not. The problem is--well, there are many problems.

First, Microsoft found it hard to inform everyone of the critical nature of the more serious vulnerabilities, especially if the announcement went out on Friday afternoon at 3 p.m. Worse, say someone did notice and hurriedly applied the patch, only to find on Saturday morning that it broke some functionality somewhere else in the system. Who would pay the overtime?

These PowerPoint Trojans are not broadcast scattershot across the Internet like the large-scale virus attacks we've all grown to expect during the summer.

So--for the last two years, with only minor exceptions--Microsoft has announced its patches on the second Tuesday of each month. System administrators plan on it, and the general public has come to expect it. On rare occasions, Microsoft has reissued a patch or two.

But software vulnerabilities don't follow timetables. In May, the day after Microsoft released three updates, someone released a Trojan horse based on a previously unknown flaw (also known as a "zero-day" flaw) in Microsoft Word; Microsoft patched this in MS06-027. In June, after Microsoft patched 21 individual vulnerabilities, there was a zero-day attack on Excel files; Microsoft patched this in MS06-037.

And now, in July, after Microsoft patched 18 flaws, someone has released a zero-day attack on PowerPoint files. Microsoft says it'll patch this flaw on the next Patch Tuesday. However, within the last few days, we've seen at least three distinct backdoor Trojans using the PowerPoint flaws, with more Trojans possible before Aug. 8 this year.

Should home users worry? Not yet. These PowerPoint Trojans are not broadcast scattershot across the Internet like the large-scale virus attacks we've all grown to expect during the summer. Instead, these Trojans are targeted so that the victim companies won't realize they've been hit until after the fact. The bad guys are taking advantage of the common practice of sending and receiving Office files, making their poisoned e-mail look like legitimate interoffice traffic.

To do so, the bad guys have to be sophisticated; they have to be organized. One uses Google to research target companies, perhaps identifying legitimate e-mail groups within a target. Using a process known as spear-phishing, a criminal hacker can fashion an internal e-mail with subject lines like "Here are the Q1 sales figures," and the e-mail might be sent to "sales team alpha" from "sales internal." Someone receiving that e-mail wouldn't necessarily suspect the Excel to be poisoned.

Meanwhile, another individual bad guy (or a group of others) looks for unreported vulnerabilities. Not every vulnerability that's found can be exploited, and not every exploit lends itself to the type of crime that's profitable. Yet another person crafts a Trojan horse. And so on. The current crop of PowerPoint Trojans have been broadcasting captured keystrokes and other data to addresses within the 8800.org domain, a Chinese Web hosting site, but that could easily be a dead end.

So is the solution not to open any e-mail attachments? Have the villains finally won? No. Remember, the criminal hackers have been sending these to targeted companies, so, unlike the situation with the Melissa virus, interoffice Word documents, in general, ought to be safe. Antivirus vendors, with their vast networks of reporting desktops worldwide, are the ones discovering these corporate-espionage Trojans. As long as your antivirus protection is up-to-date, you should get protection within a few hours or days of a new zero-day threat. As for the companies under attack, they need to be wary of attachments and wait for Microsoft to patch these latest PowerPoint flaws.