What “very limited, targeted attacks” Means

Hi, this is Christopher Budd.

We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory.  I wanted to take a moment and help give some clarity.

When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly.  Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations.

Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers. As part of our Software Security Incident Response Process (SSIRP),  we have provided information about this malicious software to our AV partners through partner programs such as those in the Microsoft Security Response Alliance (MSRA) so that they can build signatures to detect the malicious software. The Windows Live OneCare Safety Scanner also contains signatures for this malicious software.

One of our goals when we issue a security advisory is to give you information to help you understand the risks posed by an issue. One thing we know that customers want to know about is what the scope of an attack is. Through our work with partners, with customers, and internal investigations, we’re sometimes able to tell if an attack is a broad, random attack, or if it’s a very limited, targeted attack. When we’re able to do this, we include it in our security sdvisory as another piece of information to help you understand what’s going on, so you can make a better informed risk assessments.

I hope this helps to clarify the statement.  Of course, if an attack is broad, or if an attack is limited, we still treat every issue as a priority and teams continue to actively investigate this issue.


*This posting is provided “AS IS” with no warranties, and confers no rights.*