Microsoft took six months to fix an Office exploit

More than 1 billion Microsoft Office users were at risk from the exploit that let hackers hide malware in Word files.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

It looks like you're trying to patch an exploit. Would you like some help?


After Microsoft learned about a flaw that let hackers disguise attacks in Word documents, it only took the company half a year to release a patch.

The exploit, which Microsoft reportedly learned about in October 2016, hid malware in .doc files and put Windows and Office users at risk. When a victim opened the .doc file, it would automatically connect to a server and download an HTML application that gave hackers full control of the device. The exploit worked on every version of Office.

Microsoft released a patch for the issue on April 11. Between the time that Microsoft learned about the flaw and actually fixed it, the Chicago Cubs won the World Series, the Samsung Galaxy Note 7 was recalled (twice), President Donald Trump was sworn into office and NASA found seven exoplanets likely to host life. Yeah, a lot of things can happen in six months.

Ryan Hanson, a security consultant for Optiv, first notified Microsoft about the vulnerability in October, Reuters reported on Thursday, before any hackers had used the exploit. Microsoft told Reuters that fixing the problem was tricky because it couldn't warn users without tipping off hackers.

"There are many factors that affect the length of time between the discovery of an issue and the release of a security update, as every vulnerability is different with its own unique challenges," a Microsoft representative said in a statement. "Ultimately, developing a security update is a delicate balance between timeliness and best quality."

Companies take a risk by dragging their feet on informing users about exploits. Yahoo is still dealing with a potential Senate hearing after Sen. Mark Warner argued the internet giant didn't inform users quickly enough about a breach that affected 500 million accounts. In Microsoft's case, hackers caught wind of the Office exploit before a patch had been released.

In January, McAfee noticed the first attacks using the vulnerability, which put up to 1.2 billion people using Microsoft Office at risk. Microsoft didn't learn about active attacks until March, when security firm FireEye shared its discoveries with the company.

Attacks skyrocketed after McAfee disclosed details of the bug on April 7, four days before Microsoft released its patch.

"We did not observe widespread activity until after information was disclosed by McAfee," a Microsoft spokesperson said.

The saga finally ended when Microsoft released its patch earlier this month. However, users who haven't updated Office remain vulnerable.

Batteries Not Included: The CNET team reminds us why tech is cool.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.