As I wrote earlier today, there’s a kerfuffle between the rival security teams at Google and Microsoft.
Google went public with details of a zero-day (in other words, unpatched) flaw in the Windows kernel that is being exploited by hackers. Microsoft moaned that Google had only told it privately about the vulnerability a little over a week ago and that it wasn’t reasonable to have expected it to take action yet.
In fact, in Microsoft’s opinion, Google’s public disclosure puts Windows users at “potential risk”, as a patch is not yet available.
Now Microsoft has said that it will be releasing a patch for the flaw (on Tuesday 8 November, as part of its regular round of monthly security updates), and reassured users of the Microsoft Edge browser on Windows 10 Anniversary Update that they are not at risk from the versions of the attack currently being seen in the wild.
In a blog post, Microsoft has also shared more details of who it believes is exploiting the flaw – the notorious Fancy Bear hacking gang (who Microsoft chooses to call by another name, Strontium):
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
Microsoft didn’t miss the chance to take an additional potshot at Google:
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
Indeed, Microsoft says that it has attributed more zero-day exploits to Fancy Bear / Strontium than any other hacking group it has tracked this year.
The Russian-linked Fancy Bear group (also known as APT28, Sednit or Sofacy) has been linked to a series of high profile attacks, including the embarrassing leak of the email archive of John Podesta, Hillary Clinton’s presidential campaign chief.
Fortunately, unless you move in government, intelligence or military circles you’re unlikely to be of much interest to the Fancy Bear hacking group, and probably don’t need to lose too much sleep about them.
However, now Google has detailed the exploit it opens the door for other online criminals to try to take advantage of it before computers get patched.
You should make sure that your defences are in place – not just keeping your anti-virus and operating systems updated, alongside patching additional software such as Adobe Flash (or removing it entirely), but also taking care to not click on unsolicited links or launch potentially dangerous email attachments.
It only takes a moment’s loss of focus and a misplaced click for an online criminal to compromise your computer.
While you’re waiting for Microsoft to issue its patch, be sure to read their blog for further details.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Microsoft says you’ll have to wait until next week for Windows zero-day patch”
I have little sympathy for either Microsoft or Google – their products have all fallen victim to some hack or other in the past. If you're going to behave like the playground bully, then expect some flak. Hackers are merely the vigilantes trying to establish some balance to the big boys' exploitation tactics. Putting backdoors into their products to spy on their users, is just asking for it, IMO. Both Microsoft and Google are guilty of collecting far more information than they actually need from their users. A bit of retribution is what they deserve, especially when the hackers are exploiting the channels the big boys put in to spy on us. Personally, I find it all very amusing!
Mirorosoft is wrong. When a vulnerability is actively exploited, the best interest of the "customers" is to disclose publicly.
Shining the light on the vulnerability and the exploit path allows individuals and organizations to explore counter measures with tools Microsoft will not have available. It allows the entire security industry to step up and disrupt the exploit path, disrupting the attacks until a securitu patch is ready.
If Microsoft had their way, the.victimization would have continued with Microsoft's full knowledge.
Google's decision was in the best interest of the community whose are threatened by this vulnerability.