Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Security|Windows 10|Windows 7|Windows 8|Windows Vista

Microsoft to Fix Zero-Day Windows Flaw That Was Outed by Google

Microsoft to Fix Zero-Day Windows Flaw That Was Outed by Google

Microsoft announced that it will fix a dangerous new zero-day security flaw in Windows that it says is being exploited by hackers in Russia. But Microsoft is also understandably outraged that Google inexplicably outed the flaw before a patch was ready.

“Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign,” Microsoft executive vice president Terry Myerson explains. “This attack campaign … used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.”

That specific set of customers is the first bit of blockbuster news to come out of this event: Hackers in Russia, almost certainly stated-sponsored, were silently targeting “government agencies, diplomatic institutions, military organizations, defense contractors, and public policy research institutes,” Microsoft says. Or, as has been more widely reported, the Democratic National Committee and the Democratic Congressional Campaign Committee: Russia is broadly suspected of trying to impact the outcome of the U.S. presidential election.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

How news of the flaw came to light is the second bit of blockbuster news to come out of this event: After privately warning Microsoft about the flaw on October 21, Google inexplicably chose to publicly reveal the flaw on Monday, and before Microsoft was ready to patch it. Why? Because Google’s policy is to publish information about actively-exploited software flaws after seven business days. And to do so regardless of the impact it has on customers.

“This vulnerability is particularly serious because we know it is being actively exploited,” Googleadmitted Monday. “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape … We encourage users to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”

Microsoft, as noted, was outraged at Google’s disclosure, as it was planning to patch this flaw in next week’s set of security patches. In public, however, the software giant has been more restrained.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Mr. Myerson correctly asserts. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”

As for the flaw itself, Microsoft says that an “activity group” called STRONTIUM—more widely known as “Fancy Bear” or APT 28—conducted a “spear phishing” campaign via email to exploit flaws in both Flash and Windows and gain access to “sensitive information” throughout the victims’ networks. The software giant also notes that STRONTIUM is responsible for more zero-day exploits than any other group in 2016.

“STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer,” Mr. Myerson explained.

Adobe has released an update that addresses this flaw in its software. And Microsoft will patch the flaw in various Windows versions—Windows Vista, 7, 8.x, and Windows 10 through version 1511—next Tuesday. But in the meantime, it notes that customers using Microsoft Edge on Windows 10 with the Anniversary Update installed are protected from this attack. And Microsoft, of course, recommends that all customers upgrade to Windows 10.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Paul Thurrott is an award-winning technology journalist and blogger with over 20 years of industry experience and the author of over 25 books. He is the News Director for the Petri IT Knowledgebase, the major domo at Thurrott.com, and the co-host of three tech podcasts: Windows Weekly with Leo Laporte and Mary Jo Foley, What the Tech with Andrew Zarian, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By