Hackers exploited Word flaw for months while Microsoft investigated

Soldiers in the Ukraine, political figures in Russia, online bank accounts in Australia and a university in Israel may have been the targets of hackers exploiting a flaw in Microsoft Word, according to a report by Reuters cyber security expert Joseph Menn.

“To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199,” he writes. “The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft’s regular monthly security update. But, said Menn, “it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time”.

Google’s security researchers, for example, give vendors just 90 days’ warning before publishing flaws they find. Microsoft declined to say how long it usually takes to patch a flaw. While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries. Attackers linked to Iran are said to have targetted Ben-Gurion University employees in Israel.

“The saga shows that Microsoft’s progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically,” said Menn.