Hackers used Microsoft Word bug 'for months'

Hackers used Microsoft Word bug 'for months'


A bug in Microsoft Word was exploited by hackers for months before it was eventually fixed, according to security researchers.

The flaw allowed attackers to take control of a computer via malicious document files.

The zero-day, or previously undetected, vulnerability was patched earlier this month.

However, it has since emerged that Microsoft was told about it in October, nearly six months ago.

A report from the Reuters news agency notes that security researcher Ryan Hanson at Optiv first discovered the problem in July 2016.


Microsoft could have notified customers to make a change to settings in Word that would have prevented the vulnerability from being exploited - but that would also have alerted hackers to its existence.

The decision to wait for a patch seems to have allowed a window of opportunity for hackers to discover the flaw on their own.

In March, cyber-security company FireEye noticed financial hacking software that was being distributed with the Microsoft bug.

And another company, McAfee, found attacks that were exploiting it, too.

McAfee faced some criticism, however, for publishing a blog post about the vulnerability - with details hackers may have found useful - two days before it was fixed.

Yet another company, Proofpoint, found that the vulnerability was being targeted by scammers trying to distribute Dridex malware - which infects a victim's computer before snooping on banking logins.

Hackers used Microsoft Word bug 'for months'

There were even reports of hacking after the patch was made available.

Cyber-security outlet Morphisec said that employees at Ben-Gurion University in Israel had had their email accounts compromised by attackers who had then sent infected documents to medical professionals and contacts at technology companies.

"Prior to public disclosure, our engineers were aware of a small number of attempts to use this vulnerability through targeted spam designed to convince users to open a malicious attachment," a Microsoft spokesman said.

Customers who applied the 11 April security update were already protected, he added.

"In an ideal world, it would have been fixed sooner," said cyber-security expert Graham Cluley.

However, he pointed out that patching software run on millions of computers around the world was not an easy process.

"There's always this huge challenge because companies want to patch their software, but they want to do it properly - they want to make sure they've been comprehensive with the fix," he told the BBC.



Add Comment

all comments

  Other news

more
'Aging in place' tech helps seniors live in their home longer

'Aging in place' tech helps seniors live in their home longer..

24-Jun, 09:24

Home-based tech tools can be far less expensive than moving into an...

Coronation Street star Georgia May Foote takes relationship with model boyfriend George Alsford to the NEXT LEVEL with tear-jerking wedding photo

Coronation Street star Georgia May Foote takes relationship with model boyfriend George..

24-Jun, 09:01

Georgia May Foote has pledged her 'love' for boyfriend George Alsford in...

Jo Cox MP honoured with Commons plaque

Jo Cox MP honoured with Commons plaque..

24-Jun, 11:00

A coat of arms to honour murdered MP Jo Cox has been unveiled in...

London tower block residents 'must leave' says council

London tower block residents 'must leave' says council..

25-Jun, 05:56

The government plans to examine cladding from up to 600 blocks and so...

American held in Iran released on bail amid 18-year sentence

American held in Iran released on bail amid 18-year sentence..

03-Apr, 23:20

An Iranian-American serving an 18-year prison sentence in Iran for...

Markets Right Now: Early gain for stocks fades at midday

Markets Right Now: Early gain for stocks fades at midday..

17-Mar, 13:08

The latest on developments in financial markets (All times local): 12:00...

Trump says he's keeping Dr. Francis Collins as NIH director

Trump says he's keeping Dr. Francis Collins as NIH director..

06-Jun, 18:25

President Donald Trump says he's keeping Dr. Francis Collins as director...

George Clooney's dad shares details about the twins

George Clooney's dad shares details about the twins..

07-Jun, 13:12

Just two hours after George and Amal Clooney welcomed twins Alexander and...