In May, Vietnamese cybersecurity researcher Dinh Ho Anh Khoa uncovered a vulnerability in Microsoft’s document management software, SharePoint, at an event designed to encourage ethical hacking that makes our technology more robust. He received $100,000 from Trend Micro, the security group that sponsored the event.
As part of the deal, flaws discovered in these competitions must be kept under wraps to give affected companies time to assess the threat, work on a fix, test it and then release it. In this case, Microsoft released its patch by July 8 — a reasonable timeframe, cybersecurity experts say, given there had been no indication the hack had been used “in the wild” until July 7.
Within days of the purported fix, however, it became clear Microsoft engineers had missed something. Sophisticated actors, said to be working on behalf of China, had found a work-around. The vulnerability has been used to target hundreds of entities, including government agencies. late last month, the U.S. Nuclear Weapons Safety Agency was reported to be among those affected. The attack enables hackers to gain unrestricted access to a victim’s SharePoint system and any valuable data it contains. The exploit would also allow bad actors to “execute code” on that server, advisories explained. Microsoft hurriedly updated its patch, releasing it on July 21. Experts are watching now to see whether it holds.
