Researchers have revealed that a data security flaw in Microsoft Word has been exploited by hackers for months prior to Microsoft finally patching it.
This zero-day exploit allowed hackers to take full control of a computer by infecting it with malicious document files. But apparently, Microsoft was already told about it in October, which is nearly half a year ago. The question presents itself quite naturally: why have they waited so long?
Reuters reports seem to suggest that the data security problem was noticed even before that. Specifically, in July 2016, Ryan Hanson, a security researcher, had already discovered it.
If Microsoft had decided to alert their customers, they would have been able to simply make a change in Word’s security settings, effectively rendering the exploit ineffective. However, this course of action would also alert the hackers to the vulnerability’s existence.
McAfee, a cyber security company, has also noticed that some attacks were exploiting the bug. The company has faced some criticism for publishing a report with details the hackers might find useful. This is because the report was released two days prior to the bug being patched, giving the hackers enough time to take advantage of it before the vulnerability was no longer there.
Graham Cluley, a cyber security expert, mentioned that in an ideal world, the patch would have been released sooner. However, he also pointed out that patching a piece of software that is used on millions of computers was not an easy process at all, and is something that companies want to do comprehensively.