Yahoo Finance Microsoft Word flaw took so long to fix that hackers used it to send fraud software to millions of computers
A flaw in Microsoft Word took the tech giant so long to fix that hackers were able to use it to send fraud software to millions of computers, it has been revealed.
The security flaw, officially known as CVE-2017-0199, could allow a hacker to seize control of a personal computer with little trace, and was fixed on April 11 in Microsoft's regular monthly security update - nine months after it was discovered.
A six-month delay is bad but not unheard of, said Marten Mickos, chief executive of HackerOne, which co-ordinates patching efforts between researchers and vendors.
"Normal fixing times are a matter of weeks," Mickos said. Microsoft Corp declined to say how long it usually takes to patch a flaw.
While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine, and a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analysed versions of the attack code. Microsoft confirmed the sequence of events.
The tale began last July, when Ryan Hanson, a consultant at security firm Optiv Inc, found a weakness in the way that Microsoft Word processes documents from another format. That allowed him to insert a link to a malicious program that would take control of a computer.
Hanson spent some months combining his find with other flaws to make it more deadly, he said on Twitter. Then in October he told Microsoft. The company often pays a modest bounty of a few thousands dollars for the identification of security risks.
Soon after that point six months ago, Microsoft could have fixed the problem, the company acknowledged. But it was not that simple. A quick change in the settings on Word by customers would do the trick, but if Microsoft notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in.
Alternatively, Microsoft could have created a patch that would be distributed as part of its monthly software updates. But the company did not patch immediately and instead dug deeper. It was not aware that anyone was using Hanson's method, and it wanted to be sure it had a comprehensive solution.
"We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported," Microsoft said through a spokesman. "This was a complex investigation."
Hanson declined interview requests.
It is unclear how the unknown hackers initially found Hanson's bug. It could have been through simultaneous discovery, a leak in the patching process, or even hacking against Optiv or Microsoft.
Five top tips for staying safe online
In January, as Microsoft worked on a solution, the attacks began.
The initial attacks were carefully aimed at a small number of targets and so stayed below the radar. But in March, security researchers at FireEye Inc noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.
FireEye probed further, found the earlier Russian-language attacks, and warned Microsoft. The company, which confirmed it was first warned of active attacks in March, got on track for an April 11 patch.
Then what counts as disaster in the world of bug-fixers struck. Another security firm, McAfee, saw some attacks using the Microsoft Word flaw on April 6.
After what it described as "quick but in-depth research," it established that the flaw had not been patched, contacted Microsoft, and then blogged about its discovery on April 7.
The blog post contained enough detail that other hackers could mimic the attacks.
Other software security professionals were aghast that McAfee did not wait, as Optiv and FireEye were doing, until the patch came out.
McAfee Vice President Vincent Weafer blamed "a glitch in our communications with our partner Microsoft" for the timing. He did not elaborate.
By April 9, a program to exploit the flaw was on sale on underground markets for criminal hackers, said FireEye researcher John Hultquist.
The next day, attacks were mainstream. Someone used it to send documents booby-trapped with Dridex banking-fraud software to millions of computers in Australia.
Finally, on the Tuesday, about six months after hearing from Hanson, Microsoft made the patch available, thanking Hanson, a FireEye researcher and its own staff.
As always, some computer owners are lagging behind and have not installed it.
