Microsoft Word Bug Exposed Bank Accounts and Cybersecurity Weaknesses

Digital vulnerabilities can rise up in the most unexpected places, as investigators well know. Just look at the recent flaw in Microsoft Word, which allowed both foreign intelligence agencies and private hacking groups to infiltrate infected computers and steal banking information from Word users around the world.

The Microsoft Word CVE-2017-0199 bug, as it’s known, was out in the wild for almost 9 months from when it was discovered until the time it was patched, according to reports from Reuters.

A bug that flew under the radar

The flaw in Microsoft Word was not particularly elaborate, and fixing it wasn’t necessarily a sophisticated process, Microsoft told Reuters. But the process of fully investigating and tracking down both the bug and its potential uses took longer than expected, and the involvement of multiple private third-party experts and vendors complicated matters.

The bug was actually located by Ryan Hanson, a computer security consultant at Optiv Inc., who discovered that when processing documents from external formats, Word was vulnerable to malware that would ultimately let it fully control the host computer. Hanson followed up this discovery with more research into how the bug might be weaponized, then reached out to Microsoft to inform them in October 2016.

Microsoft acknowledged the flaw, but didn’t immediately move to patch the problem. Why? Well, releasing a public security recommendation would inform hackers about it, who tend to be a bit more attentive to cybersecurity news than the average Word user, creating a massive window of vulnerability between release and full implementation. Similar problems existed with fixing it in a routine update patch.

“We performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported,” a Microsoft spokesperson told Reuters. “This was a complex investigation.”

The consequences of delay

No one - except the hackers themselves - know when the bug Hanson discovered began to spread through the wild. By the time of reporting, it had been employed by a number of malicious actors, including:

  • Users of a Gamma Group eavesdropping software package attempting to infiltrate the systems of Russian and/or Ukrainian users, probably related to the civil war in Eastern Ukraine.
  • Hackers employing the Dridex bank-fraud software to raid accounts via Australian computer networks.
  • Researchers at Ben-Gurion University in Israel were targeted by attackers, possibly Iranian, who then forwarded documents with the bug to other industry contacts.

Part of the reason that so many hackers were able to exploit this vulnerability for so long was that another security firm, McAfee, posted a public blog about the issue - after contacting Microsoft but before a fix had been decided on and released. In the world of cybersecurity professionals, this represents a fairly severe breach of protocol, and McAfee Vice President Vincent Weafer told Reuters there had been “a glitch in our communications with our partner Microsoft.”

Alerting hackers who were unaware of the vulnerability proved a critical mistake - criminals could buy programs to exploit the flaw on the software black market within a day of the news release.

Challenges proliferate in securing systems

The saga of CVE-2017-0199 illustrates neatly how difficult it can be not only to secure systems against digital intrusion, but to deal with the ramifications once a breach is found. The damage was done not in a single instance, but through a cascading series of failures.

First, the initial failure occurred when the software was left vulnerable, and was followed up by the delayed response from Microsoft as they tried to determine the best plan of action. As they waited, the third failure occurred, presumably as a result of miscommunications between the Redmond, Washington firm and McAfee.

The lesson here is that you cannot simply fight the war against cybercrime on the front lines - you need defense in depth. When systems are attacked or compromised, it’s important to have a clear plan of action and well-trained staff to investigate and track down the intrusion. Clear policies are required for how to handle it in the aftermath - as with the Microsoft Word bug, a disorganized cure can sometimes do more damage than the disease.

Technology also plays an important role - with digital threats spreading across platforms and systems at an ever-increasing rate. In turn, this demands investigative and analytical solutions able to cope with a vast array of data points, social media networks, users and other streams of information. Every organization needs to think about these questions - do you have the tools you need to prevent a security breach? And will you be able to to respond, in a timely and effective fashion, if one does occur.