Hackers used Microsoft Word bug 'for months'

Hackers used Microsoft Word bug 'for months'


A bug in Microsoft Word was exploited by hackers for months before it was eventually fixed, according to security researchers.

The flaw allowed attackers to take control of a computer via malicious document files.

The zero-day, or previously undetected, vulnerability was patched earlier this month.

However, it has since emerged that Microsoft was told about it in October, nearly six months ago.

A report from the Reuters news agency notes that security researcher Ryan Hanson at Optiv first discovered the problem in July 2016.


Microsoft could have notified customers to make a change to settings in Word that would have prevented the vulnerability from being exploited - but that would also have alerted hackers to its existence.

The decision to wait for a patch seems to have allowed a window of opportunity for hackers to discover the flaw on their own.

In March, cyber-security company FireEye noticed financial hacking software that was being distributed with the Microsoft bug.

And another company, McAfee, found attacks that were exploiting it, too.

McAfee faced some criticism, however, for publishing a blog post about the vulnerability - with details hackers may have found useful - two days before it was fixed.

Yet another company, Proofpoint, found that the vulnerability was being targeted by scammers trying to distribute Dridex malware - which infects a victim's computer before snooping on banking logins.

Hackers used Microsoft Word bug 'for months'

There were even reports of hacking after the patch was made available.

Cyber-security outlet Morphisec said that employees at Ben-Gurion University in Israel had had their email accounts compromised by attackers who had then sent infected documents to medical professionals and contacts at technology companies.

"Prior to public disclosure, our engineers were aware of a small number of attempts to use this vulnerability through targeted spam designed to convince users to open a malicious attachment," a Microsoft spokesman said.

Customers who applied the 11 April security update were already protected, he added.

"In an ideal world, it would have been fixed sooner," said cyber-security expert Graham Cluley.

However, he pointed out that patching software run on millions of computers around the world was not an easy process.

"There's always this huge challenge because companies want to patch their software, but they want to do it properly - they want to make sure they've been comprehensive with the fix," he told the BBC.



Add Comment

all comments

  Other news

more
Love Island star Olivia Attwood gives boyfriend Chris Hughes sex lessons  and praises herself as a good teacher

Love Island star Olivia Attwood gives boyfriend Chris Hughes sex lessons and praises herself..

20-Aug, 10:40

The Love Island star is still going strong with Chris Hughes weeks after...

Indian court grants woman divorce over lack of home toilet

Indian court grants woman divorce over lack of home toilet..

20-Aug, 12:40

An Indian woman has been granted permission to divorce her husband...

Erdogan critic Dogan Akhanli arrested in Spain

Erdogan critic Dogan Akhanli arrested in Spain..

19-Aug, 18:52

A German-Turkish writer who is a known critic of President Recep Tayyip...

Train derails as it departs London Paddington station

Train derails as it departs London Paddington station..

20-Aug, 11:10

Passengers had to be evacuated from a train after it derailed while...

FCC warns consumers about new 'Yes' phone scam

FCC warns consumers about new 'Yes' phone scam..

27-Mar, 21:50

The Federal Communications Commission is warning consumers about a new...

Hugh Jackman speaks out about the 'Logan' ending

Hugh Jackman speaks out about the 'Logan' ending..

06-Mar, 09:58

"Logan" topped the U.S. box office this weekend, pulling in more than $80...

Office supplies chain Staples sold for $6.9 billion

Office supplies chain Staples sold for $6.9 billion..

28-Jun, 18:00

Private equity firm Sycamore is buying office supplies chain Staples for...

Taliban leader killed in US airstrike

Taliban leader killed in US airstrike..

22-Apr, 10:59

A Taliban leader once known as a shadow governor of an Afghanistan...