Microsoft's products are practically ubiquitous. Sure, Internet Explorer is no longer synonymous with the Internet for many people, but the company's Office productivity suite remains a staple for many Windows users. That's great for Microsoft, but Kaspersky Labs' report that 70 percent of the cyberattacks it saw in the fourth quarter of 2018 targeted Office vulnerabilities suggests that it might not be great for the software's users.
Kaspersky presented these findings at its Security Analyst Summit in Singapore last week; ZDNet reported on the presentation on Monday. According to the publication, Kaspersky said Office was involved in just 16 percent of attacks in Q4 2016. That number quadrupled in just two years, and unless there are some dramatic changes with the productivity suite or its popularity, there's little reason to believe it will fall anytime soon.
Not all of the attacks involving Office vulnerabilities actually rely on flaws in the software itself. Kaspersky noted that attacks will often exploit issues with related components in Windows, or they'll use Office files to make their way onto a target device. Even people who manage to avoid Office typically have to deal with its file types--documents are sent as ".docx", spreadsheets as ".xlsx" and presentations as ".pptx". That's just how it is.
That means that Microsoft's efforts to secure Office are in some ways limited by factors outside its control. Promising improved security for people who opt for Office 365 instead of the standalone versions of its software is better than nothing, sure. (Even if it seems a bit silly to pit the products against each other.) But it can't stop attackers from disguising a malicious file as a Word document or sneaking malware into a PowerPoint slide.
This ubiquity, combined with the ease with which attackers can exploit Office vulnerabilities, makes the rise in attacks involving Office seem like an inevitability. Kaspersky reportedly said there's an entire crime network built around Microsoft's productivity suite. That means there's serious economic incentive to discover Office vulnerabilities, exploit them, sell the exploits and then repeat the process once a given security flaw is fixed.
Maybe that would change if Office were no longer synonymous with office work. But the productivity suite has withstood increasing competition far better than Internet Explorer did, and even if it's dethroned, people are still going to use Office file formats until they simply can't do so anymore. Microsoft, Kaspersky, and other companies simply have to manage each problem as it pops up to the best of their collective ability.
