Hackers exploited flaw as Microsoft investigated, Latest World News - The New Paper

Hackers exploited flaw as Microsoft investigated

This article is more than 12 months old

SAN FRANCISCO To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.

The bug was unusually dangerous and could allow a hacker to seize control of a personal computer with little trace.

It was fixed on April 11 in Microsoft's regular monthly security update.

But cyber security experts say that the nine-month journey from discovery to resolution is an unusually long time.

Google's security researchers, for example, give vendors just 90 days' warning before publishing flaws they find.

Microsoft Corp declined to say how long it usually takes to patch a flaw.

While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine.

And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.

The tale began last July, when Mr Ryan Hanson, a Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise, found a weakness in the way that Microsoft Word processes documents from another format.

That allowed him to insert a link to a malicious programme that would take control of a computer. He spent some months combining his find with other flaws to make it more deadly, he said on Twitter.

Then, in October, he told Microsoft, which often pays a modest bounty of a few thousands dollars for the identification of security risks.

Soon after that point six months ago, Microsoft could have fixed the problem, the company acknowledged.

But it was not that simple.

A quick change in the settings on Word by customers would do the trick, but if it notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in.

Alternatively, Microsoft could have created a patch that would be distributed as part of its monthly software updates.

But the company did not patch immediately and instead dug deeper. It was not aware that anyone was using Mr Hanson's method and it wanted to be sure it had a comprehensive solution.

The saga shows that Microsoft's progress on security issues, as well as that of the software industry as a whole, remains uneven in an era when the stakes are growing dramatically.- REUTERS