Hackers used Microsoft Word bug 'for months'

  • Published
Microsoft Word
Image caption,
The bug was found in Microsoft Office software - and went unfixed for months

A bug in Microsoft Word was exploited by hackers for months before it was eventually fixed, according to security researchers.

The flaw allowed attackers to take control of a computer via malicious document files.

The zero-day, or previously undetected, vulnerability was patched earlier this month.

However, it has since emerged that Microsoft was told about it in October, nearly six months ago.

A report from the Reuters news agency notes that security researcher Ryan Hanson at Optiv first discovered the problem in July 2016.

Microsoft could have notified customers to make a change to settings in Word that would have prevented the vulnerability from being exploited - but that would also have alerted hackers to its existence.

The decision to wait for a patch seems to have allowed a window of opportunity for hackers to discover the flaw on their own.


In March, cyber-security company FireEye noticed financial hacking software that was being distributed with the Microsoft bug.

And another company, McAfee, found attacks that were exploiting it, too.

McAfee faced some criticism, however, for publishing a blog post about the vulnerability - with details hackers may have found useful - two days before it was fixed.

Yet another company, Proofpoint, found that the vulnerability was being targeted by scammers trying to distribute Dridex malware - which infects a victim's computer before snooping on banking logins.

Image source, AFP
Image caption,
Scammers were caught trying to infect people's computers with malware via the vulnerability

There were even reports of hacking after the patch was made available.

Cyber-security outlet Morphisec said that employees at Ben-Gurion University in Israel had had their email accounts compromised by attackers who had then sent infected documents to medical professionals and contacts at technology companies.

"Prior to public disclosure, our engineers were aware of a small number of attempts to use this vulnerability through targeted spam designed to convince users to open a malicious attachment," a Microsoft spokesman said.

Customers who applied the 11 April security update were already protected, he added.

"In an ideal world, it would have been fixed sooner," said cyber-security expert Graham Cluley.

However, he pointed out that patching software run on millions of computers around the world was not an easy process.

"There's always this huge challenge because companies want to patch their software, but they want to do it properly - they want to make sure they've been comprehensive with the fix," he told the BBC.