It's no surprise that vulnerability-seeking malware is on the rise. And if Microsoft is to be believed, it could be your fault.

In its biannual security report, issued this week, the software giant said that much of the problems with infected files stems from users' failure to apply available patches.

"The message is update, update, update," Dave Forstrom, group manager for online safety at Microsoft (NASDAQ: MSFT), told "We need to make sure that home users and business users are updating the software they use."

The report, covering the second half of 2008 (2H08), marks the first time that the Microsoft study has tracked infected files, leading researchers to conclude that users could avoid much of the infection problem simply by becoming more diligent about updating and patching their software.

For instance, the report examined the seven most-attacked Office vulnerabilities and the top two Adobe Reader vulnerabilities -- all of which have long had available patches.

"Fully 91.3 percent of attacks exploited a single vulnerability (CVE-2006-2492, the Malformed Object Pointer Vulnerability in Microsoft Office Word) for which a security fix had been available for more than two years," the report said.

For Adobe Reader, the report notes that patches for the two Acrobat 8.0 vulnerabilities were released in 2008 (one in February and one in November) and that the latest version of the software, Acrobat 9.0, is immune to all observed exploits.

The report does not say that Microsoft Office or Adobe Reader are unsafe. In fact, if you have the latest version and the latest patch, you're likely fine.

Business users at risk

As the Conficker worm recently demonstrated, it's not only home users that are failing to patch and update software -- some corporate IT environments have unpatched computers, too.

The worm exposed those environments, Jeffrey Shipley, manager of intelligence collection and analysis at Cisco Security Research and Operations, told at the time.

"While most enterprise customers have seen low infection levels, certain customers have seen more significant issues," Shipley said. "In particular, environments with loosely managed computers have been hard hit. Examples include hospital environments in which computers are unpatched for extended periods, and technologies such as IPS (define) and CSA [Cisco Security Agent, an endpoint security and antivirus solution] may not have been deployed."

It's unclear why more users and IT shops aren't keeping their systems up to date. The obvious conclusion might be that those falling victim to the attacks are users of pirated software. However, Forstrom noted that Microsoft provides security updates -- but not other updates -- for pirated software.

Compounding the problem

Users' failure to patch also compounds the threat posed by growing numbers of increasingly savvy malware authors, who seek to compromise systems by infecting trusted documents.

One example is the rapid increase in attacks aiming to exploit the Adobe Portable Document File (PDF) format. Although the report's authors declined to provide exact numbers, they wrote, "Use of the PDF format as an attack vector rose sharply in 2H08, with attacks in July amounting to more than twice as many as in all of 1H08 combined and continuing to double or almost double for most of the remaining months of the year."

To help combat the surging tide of malware, e-mail and instant messaging programs are often configured to block file formats that have been used as vectors for malware in the past, such as files with .exe, .com and .scr extensions.

But the report noted that this hasn't done much to stem the tide.

"These same programs typically permit the transmission of popular Microsoft Office binary file formats (including .doc, .xls, and .ppt) and the Portable Document Format file format used by Adobe Reader," the report said. "These formats are used legitimately by many people every day to share information and get work done, so blocking them is often not practical. This has made them an attractive target for exploitation."

Worse, a victim won't know they're infected because the malware often allows the victim to view an uninfected version of the document. The only indication of infection that the victim would see is the program window blinking a few times -- as first the infected document is loaded, followed by an uninfected version.

This article was first published on