Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft OfficeOnline, Searching for Trust and Malware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft OfficeOnline, Searching for Trust and Malware

Several readers have commented on today's Websense alert, found here ==> http://securitylabs.websense.com/content/Alerts/3519.aspx?cmpid=slalert

Websense discusses how, if you are on http://office.microsoft.com and use the search functions, you may receive links to sites that are not on Microsoft's domain.
This in itself is not too troubling, but the real issue is that these links are all referral links, which start with http://office.microsoft.com - so they look like they're Microsoft links (if you don't look too closely).   Clicking on links within these referred pages may then navigate away from the office.Microsoft lead url.

What Websense reports is that they've found malware, specifically "Fake Antivirus" malware  within some  of these referral links.

What makes this an issue is that, on the face of it, you might expect a web filtering application to allow these links, as they start with "office.microsoft.com".  The Websense apps figure this situation out correctly, but it is an easy thing to miss for the user driving the keyboard and mouse, and I suspect might be an easy thing to miss if you are coding a content control application.

What this highlights is that on the internet, "trust" is often misplaced.  When you search on Google, Yahoo or some other large search engine, you do not expect that all the results that you get on a search will be "safe".  But in this case of Microsoft's "captive" search function on this page, you can see how people might trust the results based on the url, especially as the search function is worded as "Search Office Online", not "Search the Internet" or "Search for the Answer"

So I guess the message of the day is, be careful who you put your "trust" in !

Surf Safe all !

 

 Rob VandenBrink

515 Posts
ISC Handler
Subscribe Jan 8th 2010
9 years ago
From observing my web filtering firewall at home, this has been happening for about a year now with a lot of other sites. This includes major news sites some of which which seem to have caught on after a while. Mostly it seems to be advertisements. They may be calling, or getting content from, infected or malicious sites. Some appear to be for fake security/antivirus software.
 Anonymous
Quote Jan 8th 2010
9 years ago

Sign Up for Free or Log In to start participating in the conversation!