Microsoft announced that it will fix a dangerous new zero-day security flaw in Windows that it says is being exploited by hackers in Russia. But Microsoft is also understandably outraged that Google inexplicably outed the flaw before a patch was ready.
“Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign,” Microsoft executive vice president Terry Myerson explains. “This attack campaign … used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.”
That specific set of customers is the first bit of blockbuster news to come out of this event: Hackers in Russia, almost certainly stated-sponsored, were silently targeting “government agencies, diplomatic institutions, military organizations, defense contractors, and public policy research institutes,” Microsoft says. Or, as has been more widely reported, the Democratic National Committee and the Democratic Congressional Campaign Committee: Russia is broadly suspected of trying to impact the outcome of the U.S. presidential election.
How news of the flaw came to light is the second bit of blockbuster news to come out of this event: After privately warning Microsoft about the flaw on October 21, Google inexplicably chose to publicly reveal the flaw on Monday, and before Microsoft was ready to patch it. Why? Because Google’s policy is to publish information about actively-exploited software flaws after seven business days. And to do so regardless of the impact it has on customers.
“This vulnerability is particularly serious because we know it is being actively exploited,” Googleadmitted Monday. “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape … We encourage users to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”
Microsoft, as noted, was outraged at Google’s disclosure, as it was planning to patch this flaw in next week’s set of security patches. In public, however, the software giant has been more restrained.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Mr. Myerson correctly asserts. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.”
As for the flaw itself, Microsoft says that an “activity group” called STRONTIUM—more widely known as “Fancy Bear” or APT 28—conducted a “spear phishing” campaign via email to exploit flaws in both Flash and Windows and gain access to “sensitive information” throughout the victims’ networks. The software giant also notes that STRONTIUM is responsible for more zero-day exploits than any other group in 2016.
“STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer,” Mr. Myerson explained.
Adobe has released an update that addresses this flaw in its software. And Microsoft will patch the flaw in various Windows versions—Windows Vista, 7, 8.x, and Windows 10 through version 1511—next Tuesday. But in the meantime, it notes that customers using Microsoft Edge on Windows 10 with the Anniversary Update installed are protected from this attack. And Microsoft, of course, recommends that all customers upgrade to Windows 10.