Microsoft: Windows, Mac malware gets in via Adobe, Java, Office

Microsoft: Windows, Mac malware gets in via Adobe, Java, Office

Summary: Microsoft has outlined the main third-party software through which cross-platform attacks Windows, Mac, and Linux computers: old vulnerabilities in Java, Adobe Flash, Adobe PDF applications, and Microsoft Office.

SHARE:
Microsoft: Cross-platform malware gets in via Adobe, Java, Office

Microsoft has been doing some research into all the recent cross-platform malware (1, 2, 3) that attacks Windows, Macs, and sometimes even Linux. The company has concluded that current attacks exploit third-party vulnerabilities in software on these platforms. There are two ways the malicious code is being delivered, according to the software giant: via the Web and via e-mail attachments.

More specifically, Microsoft has found cybercriminals are currently leveraging 12 vulnerabilities in Java, seven in Adobe Flash, three in Adobe PDF applications, and three in Microsoft Office (one in Excel, two in Word). All of these can be used to target and attack multiple platforms. Since Java had the most, Microsoft has already recommended that you update it or kill it.

While these results are merely based on the samples Microsoft has identified, acquired, and processed, they confirm a trend other security researchers have been seeing with cross-platform vulnerabilities. It's basic economics. Malware writers love using a cross-platform plugin as an attack vector because it allows them to target more than one operating system, and thus more potential users. As such, we can expect the value and demand for these flaws to continue.

The most important thing to note is that all these aforementioned vulnerabilities have been patched. In fact, some of them are quite old. The security holes being exploited in Microsoft's software date back to 2009, the vulnerabilities in Adobe's software go back to 2010 and 2011, and the Java flaws range from 2010 to 2012.

"This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection," a Microsoft spokesperson said in a statement. "And, this best practice should extend to all devices and platforms, especially those in large enterprise networks."

See also:

Topics: Security, Apple, Malware, Microsoft, Operating Systems

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • So it sounds like Microsoft is saying that if you want a safe computer

    that it's time to dump Flash, Java and stick with PDF tools that aren't coming from Adobe.

    Sounds fair enough.
    Champ_Kind
    • Not that at all

      They are saying that it's important to keep all of your software up to date. If you don't want to keep it up to date, then uninstall it.
      spartanstu2011
    • Does this sound fair?

      Stick with office suites that aren't coming from Microsoft.

      And speaking of Microsoft Office, I wonder what percentage of Windows users have switched to Microsoft Update in lieu of Windows Update. Because, you know ...

      P.S. Just to be fair and even-handed.
      Rabid Howler Monkey
      • well

        Your sarcasm failed at root level.
        Ram U
      • Ummm...

        There were the fewest holes in Office compared to the other things listed. Also, I highly doubt Microsoft checked Office spin-offs since the majority do not use them. I would imagine less used applications would have more holes.

        I guess haters are going to hate though. And how is this fair and even-handed? As Apple/OS X has shown us, if you aren't getting bombarded with attacks, it is assume you are safe- the whole security by obscurity. Sounds like you're safe to me! Ask all the virgin girls that didn't use any form of birth control their first time and you'll find that, gasp... it only takes one time to get knocked up! It only takes one piece of malware to screw up a system.
        ikissfutebol
        • security and obscurity

          Doesn't the security by obscurity paradigm is what Microsoft stands on? Flashback was an entirely Apple's managerial fault, not the users, since Apple just like Microsoft have demonstrated many times their ignorance and incompetence in IT.
          eulampius
      • Yeah it does

        There you go...switch to a weak office app that tries to mimic the best office suite in the world? This is terrible advice! The other suites are wannabes....If you dress up a turd it's still a turd!

        http://www.youtube.com/watch?v=k4EbCkotKPU&feature=player_detailpage
        Rob.sharp
        • RE: Terrible advice

          A bit more detail on my advice:

          1. Using an alternate office suite will help make one immune to exploits that specifically target Microsoft Office. There are several proprietary and open-source alternatives that support Windows. As an example, if one had used either OpenOffice or LibreOffice to open the malicious Word document associate with Duqu, there would have been no infection as these open-source office suites do not support embedded fonts.

          2. If one uses Microsoft Office (I agree that it is the gold standard), then enable Microsoft Update to make sure that security updates are applied. You see, Windows Update, which defaults on Windows, does not include security updates (or any other updates) for Microsoft Office. Thus, my question as to how many Windows users running Microsoft Office have switched to Microsoft Update.

          Cheers.

          Note to Emil: You need to start recommending Microsoft Update to users when Microsoft Office exploits are discussed in the blog article.
          Rabid Howler Monkey
        • MS Office

          MS Office a bloated turd that is too large to dress. I have never used it and never will. 100% no problems!
          Jesster
    • Yeah, as if Microsoft has a history of virus-free products...

      spartanstu2011's response is more on the mark. ALWAYS keep software updated and companies do have a responsibility, or should.

      And who needs all that when mere phishing can be good enough, if you can do what it takes to spoof.
      HypnoToad72
  • updates

    Yes, indeed, do keep your system up-to-date. The thing is how easy and convenient is that for various operating systems?

    Say on most GNU/Linux distros and *BSD all updates (and installations) are done from a few secure sources in one chunk with virtually only one click. You do not have to reboot the system except for the kernel updates, unlike Windows. Whereas, Microsoft Windows and Mac OSX leave users on their own with the so called "3-d party software" updates.

    So if you really care about security GNU/Linux or *BSD would your best choice.
    eulampius
    • old think

      Rebooting after updates?? How long since you used a late model Microsoft operating system?
      mswift@...
      • are you sure, you update?

        Luckily, long time ago. I would still have to use it (at work) to shutdown and boot into my live Mint/Ubuntu usb media. Booting actually takes less time than to login to Windows 7 professional-shamtional account.
        Read Steven Sinofsky from MSFT on that:
        http://blogs.msdn.com/b/b8/archive/2011/11/14/minimizing-restarts-after-automatic-updating-in-windows-update.aspx
        eulampius
      • Windows reboot after update

        Um...don't know what windows you're running, but most updates to office or any update windows requires a reboot. Maybe you're really running linux and you don't even know it?
        WhatsamattaU
  • Useless blog, as usual

    All the threats mentioned by MS have been fixed. Why is this blog useful again? There are so many other security topics to cover, but that would take some research, which is harder than regurgitate MS's findings.
    Eleutherios
  • Useless blog, as usual

    All the threats mentioned by MS have been fixed. Why is this blog useful again? There are so many other security topics to cover, but that would take some research, which is harder than regurgitate MS's findings.
    Eleutherios
  • Useless blog, as usual

    All the threats mentioned by MS have been fixed. Why is this blog useful again? There are so many other security topics to cover, but that would take some research, which is harder than regurgitate MS's findings.
    Eleutherios
    • I'm not sure if it's a glitch

      in ZDNet's new talkback system or not but if not repeating your post does not make it any more true.
      athynz
      • It's the new talkback

        I've had problems all week with it. When I click "Submit" the message eventually says there was an error. So, click "Submit" again.... error again. Click "Submit" again.... maybe it goes, maybe not. When I refreshed the page it showed all the times I clicked "Submit" as separate entries, even though they failed with an error at the time.
        benched42
  • Java Developers - www.aegisisc.com

    Also any websites could be virus/malware affected with javascript. For More Java Developers
    aegisisc