Microsoft's delays to fix Word flaw let hackers hit millions of PC users

Microsoft's inability to fix a security flaw in its Word software left millions of users open to attack from hackers, a report has found. 

Reuters has found that the popular word processor was left vulnerable for so long that hackers were able to send fraud software to countless users, leaving little trace of an attack.

This was despite the flaw (known as CVE-2017-0199) being pointed out to Microsoft by Optiv Inc security consultant Ryan Hanson six months prior to the eventual April 11th fix.

  • Avoid Windows altogether by switching to one of these Chromebooks

Slow but steady approach

The Word flaw allowed Hanson to insert a link to malicious software during a process in which Word converted one file format to another. This could then be combined with other malicious processes to magnify the threat.

Aware of the issues, and with no users apparently affected by the threat, Microsoft took the time to investigate the matter more thoroughly before patching it up.

"We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported," Microsoft said. "This was a complex investigation."

However, a series of unfortunate events led to this approach becoming problematic. At some point during the investigation, the flaw made its way to the hacking community, with attacks beginning this January. A number of security researchers spotted the flaw, and informed Microsoft, including McAfee. But a communications breakdown saw McAfee go public with the details of the flaw before Microsoft had made the fix publically available, and the floodgates for hackers were then open.

A fix for the issue is now available, but some users are still straggling behind without the update. So let this be a warning to you – if you're a Microsoft Word user, make sure you're running the most up-to-date versions available.