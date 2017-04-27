Microsoft took so long to fix a Word flaw that someone blew the bloody doors off it

YOU KNOW THAT COMPANY CALLED MICROSOFT, and the thing that it has called Word, well guess what, it had a vulnerability.

There is nothing new there. Word has holes like fishing nets and Microsoft regularly patches it and the other range of so-called productivity tools that it offers as Office. What happened in this case is that Microsoft knew about the vulnerability and sat on it for so long that a bad person did what bad people do when there is something to exploit. They exploited it.

The security flaw is known as CVE-2017-0199, and it was fixed by Microsoft in its patch presentation of 11 April. That's fine, but it is also too late, and according to reports it has enabled the infection of millions of computers. It has done this before, but here it had a massive opportunity to make good.

A report on The Telegraph finds someone from the HackerOne group speaking derisively of Microsoft's turnaround. "Normal fixing times are a matter of weeks," said Marten Mickos, chief executive of HackerOne.

Microsoft declined to comment on how long such things take. This did not surprise us at all.

The Telegraph says that the resulting malware has been used to spy on Russian speakers and used by a criminal group to steal money from Australian banks. Microsoft should probably not expect any thank you cards from those victims soon.

It might consider sending one to Optiv Inc security consultant Ryan Hanson who alerted it to the issue six months ago. Information on the CVE-2017-0199 released by Microsoft claims that the vulnerability is fixed in the patches.

"A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," it says.

"Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or Wordpad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.The update addresses the vulnerability." µ