Hackers Could Have Used Word Bug To Insert Malware On Millions Of Computers

Did slow response by Microsoft leave millions at risk?

A slow response time by Microsoft and a premature blog post by McAfee means hackers could have exploited a bug that let them take control of computers around the world and spy on millions. While Microsoft struggled to come up with a fix, hackers used the bug to take control of computers and send spying and banking-fraud software.

Did slow response by Microsoft leave millions at risk?

The security flaw, officially known as CVE-2017-0199, was originally discovered by an Optiv security researcher named Ryan Hanson in July 2016, and after more research, he let Microsoft know in October of 2016. Ryan found a specific weakness in the way that Microsoft Word processed documents from one format to another that could allow hackers to install malware on unsuspecting users.

An impossible decision for Microsoft

The quandary for Microsoft was a proper Catch-22 decision. A simple settings change by users would have been able to prevent Word from being susceptible to exploitation by hackers: But for that solution to have been effective, pretty much every single user of Word worldwide would have had to make the change. Only users who made the change would be protected, and it would have alerted hackers to the existence of the flaw and a probable veritable gold rush of hackers jumping onto exploit bandwagon, would have followed. Quite sanely, Microsoft did not go for that solution.

The other option open to Microsoft was to investigate, create a patch and then roll it out in the hope that nobody else would discover the Word bug before they did. And fair enough, you know, that’s pretty much standard practice across the tech sector for this kind of thing.

Way too long – Microsoft dropped the ball

The problem is that Microsoft took some 180 days, or half a year to fix the issue. That decision to wait, allowed hackers a large window of opportunity to discover and then exploit the flaw, which they eventually did, starting in January of this year.

“We performed an investigation to identify other potentially similar methods and ensure that our fix addresses [sic]more than just the issue reported,”A Microsoft employee told the Reuters news agency, who answered emailed questions on the condition of anonymity. “This was a complex investigation.”

It’s still not clear just how the ‘January’ hackers found Hanson’s bug and started using it for nefarious purposes. But I don’t suppose it really matters.The stable door was open, and the horses had long since gone, come back, taken their saddle and left again.

Hack and spy at leisure

But Microsoft had known of the issue since last October, and it wasn’t until March of this year that the Word-flaw hackers were discovered.  Security researchers at FireEye, another security tech company, told Microsoft that they had found a notorious piece of financial hacking software known as Latenbot being distributed using the CVE-2017-0199 vulnerability.

Tragically for Microsoft, and potentially anyone using Word, in a truly Shakespearean twist, McAfee also found the bug, this time on April 6th. But instead of keeping quiet about the bug, like everyone else was doing, they ended up inadvertently blogging about its discover the next day on April 7th. This was four days before Microsoft issued its patch. McAfee Vice President Vincent Weafer was quick to blame “a glitch in our communications with our partner Microsoft” for the timing.

Sale, Sale, Sale

The McAfee blog post unfortunately carried enough details that hackers were able to jump on the bandwagon within hours.

The inevitable hackathon gold rush consequently ensued. Attacks went mainstream globally. There were reports that one hacker used flaw CVE-2017-0199 to send Word documents laden with Dridex banking-fraud software to millions of computers in Australia.

Anyone, and I mean anyone, currently using Microsoft Word should update their Windows as soon as possible and be really wary of opening Word attachments.

Other options

Of course, you don’t have to use Microsoft Office to write stuff on a computer. There’s a whole host of free all-in-one Office solutions out there, and a host of similarly free word processors as well. It just so happens we here at Filehippo.com have lots of them for you to try and keep forever, totally free, just by clicking here.