Microsoft took six months to fix a flaw known as CVE-2017-0199, reports Reuters. Meanwhile, hackers used the flaw to launch attacks against online bank accounts in Australia and conduct other nefarious activities, according to Reuters interviews with cybersecurity research firms.
The flaw in Microsoft Word was first discovered by a consultant at a security firm last July and reported to Microsoft last October. While Microsoft investigated, hackers located the flaw and began exploiting it.
Early attacks stayed below the radar, but in March, security researchers at FireEye Inc. noticed the distribution of financial hacking software using the bug, according to the report.
Microsoft planned to fix the bug on April 11 as part of its regular security update. But before it could, researchers at McAfee saw some attacks using the flaw on April 6 and blogged about it on April 7. The post contained enough detail that other hackers were able to copy the attacks. By April 9, a program exploiting the flaw was available in underground markets, according to the report.
The incident demonstrates how much harder it is for a company to fix flaws than it is for cybercriminals to take advantage of them. Microsoft took a cautious approach in not making the flaw public while it investigated and developed a patch it was sure would fix the problem. In doing so, Microsoft also gave hackers a window to find and leverage the flaw.
As cybercriminals become faster and more savvy, companies face an uphill battle in finding and fixing security flaws in a timely manner.
Earlier this month, the hacker group known as Shadow Brokers released a large number of would-be zero day exploits targeting older Windows computers. But in that case, Microsoft quickly reassured customers that the majority of the exploits had already been patched. It’s unclear how Microsoft was alerted to those exploits or how long they knew about them prior to patching them.
It’s yet another reminder of the importance of regularly updating software to ensure the latest, most secure version is utilized.