Hackers used Microsoft Word bug 'for months'

Hackers used Microsoft Word bug 'for months'


A bug in Microsoft Word was exploited by hackers for months before it was eventually fixed, according to security researchers.

The flaw allowed attackers to take control of a computer via malicious document files.

The zero-day, or previously undetected, vulnerability was patched earlier this month.

However, it has since emerged that Microsoft was told about it in October, nearly six months ago.

A report from the Reuters news agency notes that security researcher Ryan Hanson at Optiv first discovered the problem in July 2016.


Microsoft could have notified customers to make a change to settings in Word that would have prevented the vulnerability from being exploited - but that would also have alerted hackers to its existence.

The decision to wait for a patch seems to have allowed a window of opportunity for hackers to discover the flaw on their own.

In March, cyber-security company FireEye noticed financial hacking software that was being distributed with the Microsoft bug.

And another company, McAfee, found attacks that were exploiting it, too.

McAfee faced some criticism, however, for publishing a blog post about the vulnerability - with details hackers may have found useful - two days before it was fixed.

Yet another company, Proofpoint, found that the vulnerability was being targeted by scammers trying to distribute Dridex malware - which infects a victim's computer before snooping on banking logins.

Hackers used Microsoft Word bug 'for months'

There were even reports of hacking after the patch was made available.

Cyber-security outlet Morphisec said that employees at Ben-Gurion University in Israel had had their email accounts compromised by attackers who had then sent infected documents to medical professionals and contacts at technology companies.

"Prior to public disclosure, our engineers were aware of a small number of attempts to use this vulnerability through targeted spam designed to convince users to open a malicious attachment," a Microsoft spokesman said.

Customers who applied the 11 April security update were already protected, he added.

"In an ideal world, it would have been fixed sooner," said cyber-security expert Graham Cluley.

However, he pointed out that patching software run on millions of computers around the world was not an easy process.

"There's always this huge challenge because companies want to patch their software, but they want to do it properly - they want to make sure they've been comprehensive with the fix," he told the BBC.



Add Comment

all comments

  Other news

more
Queen's University Belfast to launch first Irish satellite

Queen's University Belfast to launch first Irish satellite..

25-May, 10:16

Ireland is preparing to launch its first satellite in space, with the...

President Lenin Moreno takes office in Ecuador

President Lenin Moreno takes office in Ecuador..

24-May, 19:01

Ecuador's new President Lenin Moreno has taken office, pledging to...

Ariana Grande Manchester terror attack victim Alison Howe's husband Steve Howe gives emotional phone interview on Good Morning Britain: 'I cant even describe the pain!'

Ariana Grande Manchester terror attack victim Alison Howe's husband Steve Howe gives emotional..

25-May, 04:11

On Monday night 22 people were killed and more than 59 people were...

Fever-Tree founder toasts ?73m share sale

Fever-Tree founder toasts ?73m share sale..

25-May, 07:52

One of the co-founders of upmarket mixer drinks maker Fever-Tree has...

Israel lauds US security ties following Trump disclosures

Israel lauds US security ties following Trump disclosures..

17-May, 06:48

Israeli officials on Wednesday sought to downplay any damage caused by...

2 dead, 10 missing, dozens injured in storms in south Brazil

2 dead, 10 missing, dozens injured in storms in south Brazil..

12-Mar, 19:22

Brazilian authorities say two people died and more than 10 are missing...

Mission nearly impossible this spring: Finding a home to buy

Mission nearly impossible this spring: Finding a home to buy..

10-Apr, 03:24

Anyone eager to buy a home this spring probably has reasons to feel good....

Express Scripts expects to lose biggest customer after 2019

Express Scripts expects to lose biggest customer after 2019..

24-Apr, 19:40

Shares of Express Scripts Holding Co. tumbled in extended trading Monday...