Skip to main content

MS Word flaw unpatched ‘for months’

Published on: 2 May 2017

A vulnerability in Microsoft Word was exploited by hackers for around nine months before it was fixed, security researchers have said.

The flaw, which let attackers take control of a computer via malicious document files, was first discovered by security researcher Ryan Hanson at Optiv in July 2016. Microsoft was informed of the bug in October, but the vulnerability has only just been patched.

Microsoft chose not to notify Word users of the weakness so not to publicise its existence; however, many hackers may have discovered it on their own.

Mr Hanson, a university graduate, found that if he inserted a malicious program link into a Word document and forwarded it on to another user, the bug - named CVE-2017-0199 - would enable him to control that user's computer once they clicked the link.

A spokesman for Microsoft said: “We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported. This was a complex investigation.”