Thursday, March 28, 2024 | Ramadan 17, 1445 H
broken clouds
weather
OMAN
23°C / 23°C
EDITOR IN CHIEF- ABDULLAH BIN SALIM AL SHUEILI

Hackers exploited MicrosoftWord flaw for six months

995990
995990
minus
plus

The saga shows that progress on security issues remains uneven in an era when the stakes are growing dramatically.  


SAN FRANCISCO: To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.


The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed on April 11 in Microsoft’s regular monthly security update.


But it had travelled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time.


Google’s security researchers, for example, give vendors just 90 days’ warning before publishing flaws they find. While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.


The tale began last July, when Ryan Hanson, a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise, found a weakness in the way that Microsoft Word processes documents from another format. That allowed him to insert a link to a malicious program that would take control of a computer. Hanson spent some months combining his find with other flaws to make it more deadly, he said on Twitter. Then in October he told Microsoft. The company often pays a modest bounty of a few thousand dollars for the identification of security risks.


Soon after that point six months ago, Microsoft could have fixed the problem, the company acknowledged.


But it was not that simple. A quick change in the settings on Word by customers would do the trick, but if Microsoft notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in.


The saga shows that Microsoft’s progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically.


The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues in Russia and areas held by Russian-backed rebels in eastern Ukraine, researchers said.


Their computers were then infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments. On Tuesday, about six months after hearing from Hanson, Microsoft made the patch available. — Reuters


SHARE ARTICLE
arrow up
home icon