Microsoft Security Intelligence Report is a statistics-rich security bulletin that analyzes malware, software vulnerabilities, exploits and security breaches involving Microsoft and 3rd party software. Volume 7 of the bulletin examines the first half of 2009. Among the many findings in the bulletin is the following discussion under Microsoft Office file format exploits:
The most frequently-exploited vulnerabilities in Microsoft Office software during 1H09 were also some of the oldest. More than half of the vulnerabilities exploited were first identified and addressed by Microsoft security updates in 2006.
71.2% of the attacks exploited a single vulnerability for which a security update (MS06-027) had been available for three years. Computers which had this update applied were protected from all these attacks.
The majority of Office attacks observed in 1H09 (55.5 percent) affected Office program installations that had last been updated between July 2003 and June 2004. Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003.
In 2005, I did a series of keynote speeches, 10 Commonly Overlooked Security Hazards. One slide from that presentation is relevant to this article.
Most incidents exploit known vulnerabilities. Too many vulnerabilities remain so because users fail to apply patches. In this case, the patch has been around since 2006, and nearly three of four exploits in 2009 alone could have been averted had users applied the patch.
Patching is not hard. If you use Office, please check that you've installed MS06-027 now.
If you find you don't have MS06-027, become part of the solution, and stop serving your PC on a silver platter to malware writers. Microsoft Update provides all of the updates for the Microsoft Office system. I've provided the URL, please visit the site using IE and check that not only your Windows but Office updates are current.