A flaw in Microsoft Word left users vulnerable to hackers. Security professionals alerted Microsoft, who fixed the bug in an April 11 patch.
But Microsoft knew about that bug for six months, leaving users vulnerable as they sought to fix the bug in the most comprehensive manner possible, Reuters reports.
In the meantime, thieves used the bug to steal from millions of online bank accounts around the world and spied on users.
What was the bug?
Ryan Hanson, a security consultant at Optiv Inc., found a weakness in how Word processed documents in other formats. The weakness let him add a link to a program that would take control of a computer.
Hanson found that the flaw was even more potent when combined with existing bugs and told Microsoft, which like most tech giants offers a bounty for bugs that could pose security risks.
This was a complex investigation.
This left Microsoft with a dilemma. The easiest way to fix the bug was to change user settings. But if Microsoft told everyone to do that, it would effectively be announcing how to hack Word. The company could have made a patch for the bug that would be covered in the monthly automatic updates, but Microsoft feared other similar problems would be left untreated without a more comprehensive approach.
That deliberation meant Microsoft didn't finish the bug's patch for months. But in the meantime, hackers infected computers, many belonging to Russian speakers.
Security firm FireEye saw a notorious hacking tool was being distributed through the bug and alerted Microsoft in March. Microsoft was already prepared for an April 11 patch. Then another firm, McAfee, saw similar attacks and blogged about its discovery. The blog had enough detail that would-be hackers could follow its instructions. By April 9, a tool was available for sale to exploit the bug.
By the time Microsoft's patch hit, computers from Israel to Australia had been infected and had spread malware.
WATCH | For more news you need, check out our 60 Second Circa.