Microsoft says that a vulnerability in Windows made public by Google has been exploited by a hacking group with links to Russia. The group — known variously as Strontium, Fancy Bear, and APT 28 — has executed several spear phishing attacks, the company says.
Google was criticized for publicizing the vulnerability before Microsoft has released a patch. A fix for the security hole is not due to be released until Tuesday, 8 November — voting day in the US election.
The hacking group is one that has been linked to the Russian government, and is thought to have been behind a number of recent US hacks. Tensions are already running high between the US and Russia — particularly in light of American accusations that Russia has engaged in a hacking campaign designed to interfere with the election.
Writing on Microsoft’s Malware Protection Center blog, Terry Myerson said:
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.
While Google ordinarily gives companies a little more breathing room before going public with details of security problems (typically 60 days), in the case of more serious problems, the timescale is reduced. This is done to encourage software manufacturers to speed up the development of patches, but it is a move that has found Google on the receiving end of a tongue lashing in the past.