Microsoft Left A Hole That Hackers Used To Infect Millions With Malware

In a stark example of how complicated coding can be, Microsoft recently received a huge blow when an unpatched vulnerability made it possible for hackers to send out malware that infected millions of users. This activity has been going on for months and affects all versions of the MS Office package, including Office 2016 that also came with the Windows 10 Operating System.

A hole in Microsoft’s defenses, in general, is bad enough, but a malware that can infect users using every supported version of the MS Office products is just devastating. It’s currently the most popular paid productivity software package in the world and is used by both private individuals and corporations. As a result, millions have been at risk of infection since January, PC World reports.

The vulnerability in the software giant’s system was first noticed by the antivirus firm McAfee, which noticed that it has been receiving a lot of Word files that seemed even more suspicious than usual. After looking into them, security experts determined that some form of vulnerability shared by all Office software is being used to send out malware.

In a blog post, the company explains that the vulnerability has something to do with what’s called the Object Linking and Embedding aspect, which is basically how users can add hyperlinks to Word documents. This also provides the hackers with considerable access to Microsoft’s famed security system.

“The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as a .hta file,” the blog post reads. “Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.”