Thursday, December 07, 2006

MSRC Defines “very limited, targeted attacks”

I was angry when I saw a forum post about Microsoft Security Advisory 929433 entitled "Unpatched Word flaw menaces civilisation". The title and the subsequent quote from the Channel Register isn't journalism. It is sensationalism. Indeed, Microsoft reported it as a vulnerability and indeed, as written in the Channel Register:
"Users tricked into opening maliciously constructed Word files are liable to find their systems compromised. {emphasis mine}

This unusually strongly-worded advice amounts to using Word only to create files yourself, and confining content to local area networks, at least until the next scheduled Patch Tuesday on 12 December."
The Channel Register wording amounts to advice to using Word only to create files yourself. However, Microsoft certainly did not word
Security Advisory 929433 that way.

There were other articles appearing around the web almost as sensational as the one referenced above. Even my local newspaper missed the mark. That is why I was happy to see Christopher Budd's explanation in the MSRC Blog responding to the question on what "very limited, targeted attacks" means.

"When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly. Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations.

Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers. As part of our Software Security Incident Response Process (SSIRP), we have provided information about this malicious software to our AV partners through partner programs such as those in the Microsoft Security Response Alliance (MSRA) so that they can build signatures to detect the malicious software. The Windows Live OneCare Safety Scanner also contains signatures for this malicious software."
Of course, having the explanation won't stop the sensationalism. However, I hope it provides a better understanding for the general public.


No comments: