Microsoft finally solves its bug problem, nine months after discovery
When a Windows bug without a fix is on the prowl, mayhem is inevitable. CVE-2017-0199, a bug discovered on Microsoft Word had the capability to allow any hacker to enter into a computer, take control of it and exit without leaving any major trace. What is surprising is the fact that even after being reported, it took Microsoft nine months to fix it.
The bug was discovered way back in July 2016
A weakness in the processing of files in other formats led University graduate, Ryan Hanson to the bug. He found out that inserting a malicious program link in the Word document and sending it to someone, would enable him to control that user's computer once they click the link. He worked on it for 6 more months before informing Microsoft.
The first bug attack targeted Russian speakers
Eavesdropping software made by Gamma Group was infected into computers in Russia by this method enabling the hackers to take control of the targeted computers. This act was perpetrated by sending the Word bug via emails posing as documents related to military issues of Russia and areas of Eastern Ukraine held by Russia-backed rebels.
McAfee reveals the hack causing chaos
A set of attacks using the same bug was mentioned in a "quick but in-depth research" by McAfee while Microsoft was developing the fix. They had informed Microsoft, but instead of waiting for the fix, published it and later said it was "a glitch in our communications with our partner Microsoft" The blog divulged details, giving an opportunity to others to mimic the attacks.
Financial accounts were also risked
Following the hacks in Russia, financial accounts across the world were also under threat by the same bug according to security researchers at FireEye Inc. FireEye Inc found out about a hacking software named Latenbot, aimed at hacking financial accounts, was being distributed using the Microsoft bug. Microsoft finally took notice and started working on fixing the problem.
Major attacks could have been avoided with timely intervention
Cyber security experts opined that 9 months to solve a bug problem is unusually long for Microsoft and the latter upon prodding, declined to reveal the time period which it usually takes to solve a security flaw. The company, however, accepted that had the process not been so complicated, it could have solved the bug six months ago with a change in settings.
The actual reason behind the delay
Microsoft stated that if they informed users about the bug earlier then it would have also exposed the flaw to other hackers, who would have caused more damage than the damage at hand. The tech giant wanted to dig deeper for a comprehensible solution than a quick fix. Therefore, the idea of including a patch in monthly updates was also scrapped.