About Our People Legal Stuff
FILE - This Thursday, Aug. 23, 2012, file photo shows the Microsoft Corp. logo on an exterior wall of a new Microsoft store inside the Prudential Center mall, in Boston. Microsoft has climbed past Exxon Mobil to become the second most valuable company, behind Apple Inc., according to reports, Friday, Nov. 14, 2014. (AP Photo/Steven Senne, File)

Hackers took advantage of a Word bug for months before Microsoft finally fixed it


A flaw in Microsoft Word left users vulnerable to hackers. Security professionals alerted Microsoft, who fixed the bug in an April 11 patch.

But Microsoft knew about that bug for six months, leaving users vulnerable as they sought to fix the bug in the most comprehensive manner possible, Reuters reports. 

In the meantime, thieves used the bug to steal from millions of online bank accounts around the world and spied on users.

What was the bug?

Ryan Hanson, a security consultant at Optiv Inc., found a weakness in how Word processed documents in other formats. The weakness let him add a link to a program that would take control of a computer.

Hanson found that the flaw was even more potent when combined with existing bugs and told Microsoft, which like most tech giants offers a bounty for bugs that could pose security risks.

This was a complex investigation.
Anonymous Microsoft spokesman

This left Microsoft with a dilemma. The easiest way to fix the bug was to change user settings. But if Microsoft told everyone to do that, it would effectively be announcing how to hack Word. The company could have made a patch for the bug that would be covered in the monthly automatic updates, but Microsoft feared other similar problems would be left untreated without a more comprehensive approach.

That deliberation meant Microsoft didn't finish the bug's patch for months. But in the meantime, hackers infected computers, many belonging to Russian speakers.
Security firm FireEye saw a notorious hacking tool was being distributed through the bug and alerted Microsoft in March. Microsoft was already prepared for an April 11 patch. Then another firm, McAfee, saw similar attacks and blogged about its discovery. The blog had enough detail that would-be hackers could follow its instructions. By April 9, a tool was available for sale to exploit the bug.

By the time Microsoft's patch hit, computers from Israel to Australia had been infected and had spread malware. 

Major US-Russia controversies from recent history
Check the full list

A Trump hotline to report illegal aliens has been flooded with the other kind of aliens

WATCH | For more news you need, check out our 60 Second Circa.

Read Comments
Facebook Twitter Instagram Pinterest Linked In List Menu Enlarge Gallery Info Menu Close Angle Down Angle Up Angle Left Angle Right Grid Grid Play Align Left Search Youtube Mail Mail Angle Down Bookmark