The launch of Microsoft Office 2007 is likely to force malicious hackers to focus more attention on looking for vulnerabilities in other desktop applications, such as Abobe's Acrobat Reader, experts told delegates at the RSA Conference 2007 in San Francisco on Wednesday.
Today, most spyware and other "crimeware" applications target flaws in client-side applications, explained Jeff Moss, who founded the Black Hat and Def Con hacker conventions. These attacks involve sending an employee or home user a modified file, or a hyperlink to a Web download, which will compromise their system if executed.
"Office 2007 is much better architected, and the fine-grained capabilities are much better [than Office 2003], so you're going to see a lot less application attacks against Office, and because of that you're going to see less attacks against Vista that are successful," predicted Moss.
"So, where do the attackers go? Every other app that you are running. That's going to be Acrobat, and we've already started seeing that in the last couple of months. They just go for the lowest hanging fruit", Moss said.
Moss added that Adobe has recently begun patching more quickly, because it has become more of a target for these attacks. In January, Adobe admitted that its PDF Reader application contained a major security hole, which exposes a user's hard drive to attack.
The RSA Conference heard that crimeware is a rapidly growing threat facing both companies and individuals. Criminals are using Trojans, rootkits, keyloggers and other pieces of malware in a concerted attempt to steal personal data, log-in codes or banking details.
According to Moss, a team of malicious hackers might spend a month working on a client-side exploit before releasing it, but may devote as much as nine months perfecting a server-side attack, trying to get it exactly right before launching it. If the attack relies on a previously-unknown flaw, they may only have one shot before security vendors wake up to the problem and issue protection.
Because crimeware often relies on an individual running an application or clicking on a link, education should be a key part of a company's defence strategy, the conference heard. Locking down non-essential applications to limit the company's exposure to danger is also recommended.
"If I've got a user who isn't supposed to go onto the Internet, why am I allowing them Internet access?" asked Andre Gold, director of information security at Continental Airlines.
