Patch or be Pwned

I'm sorry. It's probably bad form on LinkedIn to use jargon like 'pwned' (pronounced as 'owned' with a p in front). Truth is, the alliteration was too good to pass up.

Bad form or not, the message is true. Cofense has just released its report on malware trends for Q3. One of the key messages was that criminals are still making 'good use' of a flaw in Microsoft Office - a flaw that Microsoft fixed two years ago. It was patched in November 2017, but had existed for 17 years before that, by the way.

This flaw goes by the catchy title of 'CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability'. Some faulty programming in the Equation Editor can be used to take over a computer. All the user needs to do, as usual, is open a malicious document - received via email or dodgy website. Once the flaw is exploited, attackers can run code of their choosing. You can guarantee that code won't be friendly.

These days, there's nothing especially noteworthy about such exploits - they have become so commonplace. The thing that compels me to write this article is the phrase above: 'a flaw that Microsoft fixed two years ago'. If you are running a supported version of Microsoft Office you can get the fix for free. So why is Confense still seeing so much exploitation of this flaw, two years on?

Why not patch?

Clearly it comes down to this: people aren't patching their copies of Office. There are doubtless a few reasons. Here are some that occur.

Invalid reasons not to patch

• No awareness. It's conceivable that some people do not know that they should keep their software up to date. Maybe that's on us information security professionals. We need to get the word out. The word that if you connect a computer to a network, you must install all available security updates as soon as you can. Hence this article. ??
• No time. Particularly in smaller organisations, the job of keeping the computers up to date will likely fall to someone who wears many different hats. But for Office, that's not a great reason; you can set it to update automatically (see below).
• No expertise. Similarly, maybe the organisation doesn't have anyone that really knows how to apply updates. But again, this is as simple as answering 'Yes', when asked during installation, 'Do you want updates?'
• No money. Some organisations and individuals are running out of date or illegal copies of Office. I know, shock horror. There may be no money available to run a supported version of Office. But quite apart from the serious risks associated to old or hooky software, there are plenty of free tools available that can be used in place of Microsoft's suite. (E.g. LibreOffice, Google Docs, AbiWord and, for the seriously geeky, LaTeX.)

Valid reasons not to patch

• Too sensitive. Highly sensitive military and commercial installations have tight controls around software versioning and updates. But these systems are also protected against the kinds of risks associated to software flaws. The systems may for example be 'air-gapped' - isolated from any network, including the internet, such that the risk of these exploits is minimal.
• Too critical. Organisations may be unwilling to tamper with or otherwise modify business critical systems. In these systems, the risk of instability or downtime is greater than the risk of compromise through software exploits. But of course such systems should probably not be running Microsoft Office in the first place.

What should I do?

For larger organisations, this is no doubt covered by an enterprise management tool such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM). For the rest of us, you just need to make sure that automatic updates are enabled on all computers. To enable this for Word, there's this helpful article from Microsoft. You'll probably also need Windows Updates enabled, so here's how to do that for Windows 10.

Stay safe out there!

Note: my posts on websites and social media are reflective of my views rather than my employer's or any third party's. Nothing in this article should be taken as constituting legal advice.