The number of errors and exploitable vulnerabilities in the individual Microsoft Office versions has dramatically in recent years taken off and is even below that of OpenOffice. This is the result are independent of the security specialist Dan Kaminsky and Will Dormann of CERT at Carnegie Mellon University came. The Results are, however, with a little caution to enjoy being on automatic evaluation susceptible of concrete slightly above the Potential threat to testify.
Both studies used for their fuzzing tools to more to create ten thousand bad doc files, they in the Office To download products and the reaction with the Microsoft tool "! exploitable Crash Analyzer to evaluate. "Kaminsky Dormann and were finally Number of crashes and the Crash Analyzer as weaknesses classified errors exploited for attacks, or suspected can be exploited. The tool takes this view, however, automatically before.
The number of exploitable vulnerabilities in Microsoft's Office suite has declined considerably from 2003. Image: Dan Kaminsky Dormann has Office XP Office 2003 and 2007 up to Office 2010 registered a steady decline of the crashes. In addition, the number of exploitable vulnerabilities decreased from seven to zero continuously. When he compared only the OpenOffice versions 3.2.1 and 3:30 RC7, with the number of crashes and exploitable bug (from 18 to 15) within the product but declined to but still significantly was higher than those of Microsoft Office.
Kaminsky is with his attempts to drastic statements: while Office 2003 still has 127 (potentially) exploitable vulnerabilities, bagged the number for Office 2007 from Office 2010 to 12 and at 7. In Comparison showed that in 2003, available OpenOffice version (Version 1.1) 73 vulnerability, which in 2007 62 and 2010 20 fell.
Kaminsky and Dormann, conduct themselves in interpreting the results back. From the perspective of Kaminsky, the situation has improved. What is the reason, can open both. With Microsoft expected the introduction of the Software Development Lifecycle an essential Role as the manufacturer in this particular context and processes has tools to increase the safety of its established products.
However one can not overstate the results. On the one they seem to vary so greatly, and similar tests for other Microsoft's products are still more in the focus of attackers as OpenOffice. Thus, the risk of infection is even less Weak points higher. That may change, however, soon, when the Support for Office XP runs (12 July 2011) and enterprises and Users to newer versions of Office switch. It tries to others, the "Office File Validation" prepared to load files . Prevent The function is available for the last Patch Tuesday and Office 2003 and 2007.