Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Microsoft Privacy

Hackers Exploited Word Flaw For Months While Microsoft Investigated (reuters.com) 46

An anonymous reader writes: To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199. The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft's regular monthly security update. But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. Google's security researchers, for example, give vendors just 90 days' warning before publishing flaws they find. Microsoft declined to say how long it usually takes to patch a flaw. While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
This discussion has been archived. No new comments can be posted.

Hackers Exploited Word Flaw For Months While Microsoft Investigated

Comments Filter:
  • by __aaclcg7560 ( 824291 ) on Thursday April 27, 2017 @11:08AM (#54313495)

    Microsoft = Job Security*

    * If you work for Microsoft, you're screwed. But for everyone else using Microsoft, you're golden.

    • Microsoft makes more money if there are flaws.

      Everyone who wants a new version of Windows must pay a full price, and get a new version that also has flaws.
    • Yeah, I admit to never having been a fan of Micro$oft, but I do recall years back, the final time I was a contractor there, this time in tech support, some of us would routinely solve problems which had gone all the way up the queue to the MS senior engineering group (but the customer always forgot or misplaced their numbers of course, so began all over) but were still unsolved. Not impressed . . .
      • The one thing I've noticed about reading of the flaws in m$ stuff is that Hackers not to hack Big Dogs. These animals use m$. So in the words coined by our, um, Fearless Leader and Chief, I state, "I would love to see WikiLeak's show Trump's and Friends tax returns."
  • Knee-jerk Reaction (Score:5, Insightful)

    by ausekilis ( 1513635 ) on Thursday April 27, 2017 @11:16AM (#54313549)

    Make the vendor responsible for losses in critical applications.

    If MS had to cough up millions for every bank hack, you could be damn sure they would refine their code for such applications. Or, you know, go bankrupt. Either way, people win!

    • by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Thursday April 27, 2017 @11:28AM (#54313637) Homepage

      Microsoft software is not intended for use in critical applications, it says so in the license agreement.
      If you're using it in such an environment you're in breach of the terms and so the liability comes back to you. Plus MS will sue you for pirating their software.

    • You can have that however you have to accept a few things:

      1) Costs are going to go way up. You aren't going to pay $50 or $100 for a software package, it'll be 5 or 6 figures. You'll be paying for all the additional testing, certification, and risk.

      2) You won't get new stuff. Everything you use will be old tech. You'll be 5-10 years out of date because of the additional time needed to test and prove things. When a new chip or whatever comes on the market it'll be a good bit of time before it has undergone a

      • You seem to be confusing "consumer" with "critical" applications.

        You can have that however you have to accept a few things:

        1) Costs are going to go way up. You aren't going to pay $50 or $100 for a software package, it'll be 5 or 6 figures. You'll be paying for all the additional testing, certification, and risk.

        Only for critical software. You know, things like banks, hospitals, etc... Those guys should be making damn sure that their environments and software are secure and work as advertised. We're talking peoples lives here.

        2) You won't get new stuff. Everything you use will be old tech...

        This isn't much of a change from today. ATM's and EKG machines running Windows XP (or older).

        3) You will not be permitted to modify anything. You will sign a contract (a real paper one) up front that will specify what you can do with the solution, and what environment it must be run in. Every component will have to be certified, all software on the system, the system itself, any systems it connects to, etc. No changes on your part will be permitted, everything will have to be regression tested and verified before any change is made.

        CEO's probably would balk at this, but it's arguably necessary. It may even already be done to some extent, medical equipment must be c

        • And yet the software you are complaining about is MS Word. That is consumer software. To me, this just seems lime more "MS should be held accountable for everything because I don't like them," crap.

  • ArsTechnica (Score:3, Interesting)

    by aafrn ( 4718199 ) on Thursday April 27, 2017 @11:19AM (#54313573)
    ArsTechnica ran this story 2 weeks ago... congrats Reuters... now stop covering tech topics... you suck at it
  • by PPH ( 736903 )

    For how long as MSWord had VB scripting, .NET and other vulnerabilities buit in?

  • by atrimtab ( 247656 ) on Thursday April 27, 2017 @03:18PM (#54315309)

    This story is so old and happens so often that it isn't news. That it continues is very frustrating for anyone who has been in the Internet industry since the Internet became popular around the release of Windows 3.1.

    Windows is impossible to secure. I'm sure that if I bother to search a few darker spots of the net I will find current working unpatched Windows "total takeover" exploits.

    The only good news appears to be that it used to take years rather than only 9 months for Microsoft to respond with effective patches.

    Until Microsoft can be held responsible for the losses associated with using their software none of this will ever change. There is a very good reason that most Internet startups do NOT use Windows on their customer facing servers. It is just not maintainable.

    Open source isn't perfectly secure, but at least knowledgeable persons can debug and patch it much, much faster than 9 months.

    Microsoft usually ignores or spends a long time fixing severe bugs or design issues which can kill any business dumb enough to adopt Windows even with all kinds of regularly ineffective "3rd party protection."

    Apple is better than Microsoft, but still weak in so many areas that it is also a non-starter for Internet facing servers.

    Here is a simple test: If you need to add Anti-virus software or added firewalls you are using an insecure operating system unfit for use on the Internet.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...