So now we know... the story behind a "limited attack"
Australian IT news has an interesting report about the story behind an attack against a US State Department using a previously unknown Word vulnerability which was later patched by Microsoft.
The article describes what was a targeted attack on the State Department's Bureau of East Asian and Pacific Affairs via an employee based in Asia - a Department which coordinates diplomacy in countries including China, the Koreas and Japan. The unfortunate employee opened what seemed to be a legitimate email with content relevant to the State Department's role - the email included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, and that Word document was the key to the attack - it contained code that allowed the hackers to break into the victim network although, reassuring, the security compromise was detected very quickly.
Regular readers of the Microsoft Security Response Centre blog (http://blogs.technet.com/msrc/default.aspx) will occasionally see reference to the discovery of a new vulnerability which has been used in limited, targeted attacks. Often some areas of the press will pick up on the story from various sources, and will publish "OMG its another unpatched zero day" articles lamenting how we are all at risk, and how we should stop using Microsoft products etc etc etc. Invariably there will be complaints from some commentators about how long it is taking to patch said vulnerability, and FUD (fear, uncertainty and doubt) related to how Microsoft is putting so many people at risk by not patching the vulnerability quickly enough will quickly spread.
The story described in the Australian IT article is a peek being the secrecy curtain at the reality of limited, targeted attacks. The virus writer's world of today is not what it was in the early days. It used to be that the biggest problem we had was viruses that were designed to infect as many computers as possible, as quickly as possible. The goal was not financial gain, or espionage, or targetted attacks like it is today - instead the goal was notoriety and fame for the virus writers, and that fame was not based on how good their code was, or what it could do, but was more about body count - their code could set off such a cacophony of symptoms that only the most blind would not see there was a problem, but that did not matter.
Compare the goals of the script kiddies who were only trying to prove they've got the biggest anatomical appendage to the goals behind the attack against the US State Department. Whoever it was that had discovered the vulnerability and used it was not out to infect the world. They wanted to get in to a particular network very quietly, and to evade detection as soon as possible. Often they do not want the world to learn what the vulnerability is that they are using, because when *that* gets out, we adapt, we start watching out for the exploit, we mitigate risk and we devise protections, so that the mystery vulnerability that the bad guy may have paid good money for is suddenly of limited use.
In the end, it all boils down to perceived risk versus real risk, and that is what MS deals with when deciding what to do about limited attacks like the one described above. Reality is that the chances of the 'man in the street' being sent a Word document with the code embedded that was received by the US State Department is minimal to nil, which Microsoft is well aware of. You're at far greater risk of being hit by Winfixer via remiss services such as ValueClick than you are of being hit by the Word exploit discussed here. Remember that when next you read about the latest limited, targeted attack involving Word or Powerpoint and see somebody agitating about how negligent MS is for not pushing out an immediate patch - sure, they could do that "just in case", but what if it breaks thing else, badly... all to protect you from a risk that you're in all likelihood not exposed to anyway?