To understand why it is so difficult to defend computers from even moderately capable hackers , consider the case of the security flaw officially known as Vulnerability-related.DiscoverVulnerability CVE-2017-0199 . The bug was unusually dangerous but of a common genre : it was in Microsoft software , could allow a hacker to seize control of a personal computer with little trace , and was fixed Vulnerability-related.PatchVulnerability April 11 in Microsoft ’ s regular monthly security update . But it had traveled a rocky , nine-month journey from discovery to resolution , which cyber security experts say is an unusually long time . Google ’ s security researchers , for example , give vendors just 90 days’ warning Vulnerability-related.DiscoverVulnerability before publishing Vulnerability-related.DiscoverVulnerability flaws they find Vulnerability-related.DiscoverVulnerability . Microsoft Corp ( MSFT.O ) declined to say how long it usually takes to patch Vulnerability-related.PatchVulnerability a flaw . While Microsoft investigated , hackers found Vulnerability-related.DiscoverVulnerability the flaw and manipulated the software to spy on unknown Russian speakers , possibly in Ukraine . And a group of thieves used it to bolster their efforts to steal Attack.Databreach from millions of online bank accounts in Australia and other countries . Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analyzed versions of the attack code . Microsoft confirmed the sequence of events . The tale began last July , when Ryan Hanson , a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise , found Vulnerability-related.DiscoverVulnerability a weakness in the way that Microsoft Word processes documents from another format . That allowed him to insert a link to a malicious program that would take control of a computer . The company often pays a modest bounty of a few thousands dollars for the identification of security risks . Soon after that point six months ago , Microsoft could have fixed Vulnerability-related.PatchVulnerability the problem , the company acknowledged Vulnerability-related.DiscoverVulnerability . But it was not that simple . A quick change in the settings on Word by customers would do the trick , but if Microsoft notified Vulnerability-related.DiscoverVulnerability customers about the bug and the recommended changes Vulnerability-related.PatchVulnerability , it would also be telling hackers about how to break in . Alternatively , Microsoft could have created Vulnerability-related.PatchVulnerability a patch that would be distributed Vulnerability-related.PatchVulnerability as part of its monthly software updates . But the company did not patch immediately Vulnerability-related.PatchVulnerability and instead dug deeper . It was not aware that anyone was using Hanson ’ s method , and it wanted to be sure it had a comprehensive solution . “ We performed Vulnerability-related.PatchVulnerability an investigation to identify other potentially similar methods and ensure that our fix addresses [ sic ] more than just the issue reported , ” Microsoft said through a spokesman , who answered emailed questions on the condition of anonymity . “ This was a complex investigation. ” Hanson declined interview requests . The saga shows that Microsoft ’ s progress on security issues , as well as that of the software industry as a whole , remains uneven in an era when the stakes are growing dramatically . Finally , on the Tuesday , about six months after hearing from Hanson , Microsoft made Vulnerability-related.PatchVulnerability the patch available Vulnerability-related.PatchVulnerability . As always , some computer owners are lagging behind and have not installed it . Ben-Gurion University employees in Israel were hacked , after the patch , by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals , said Michael Gorelik , vice president of cyber security firm Morphisec . When Microsoft patched Vulnerability-related.PatchVulnerability , it thanked Hanson , a FireEye researcher and its own staff . A six-month delay is bad but not unheard of , said Marten Mickos , chief executive of HackerOne , which coordinates patching efforts between researchers and vendors . “ Normal fixing times are a matter of weeks , ” Mickos said . Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to make Vulnerability-related.PatchVulnerability fixes before publishing research Vulnerability-related.DiscoverVulnerability when appropriate , and that it “ materially followed ” that practice in this case . If the patching Vulnerability-related.PatchVulnerability took time , others who learned of the flaw moved quickly . On the final weekend before the patch , the criminals could have sold it along to the Dridex hackers , or the original makers could have cashed in a third time , Hultquist said , effectively staging a last clearance sale before it lost peak effectiveness . It is unclear how many people were ultimately infected or how much money was stolen .