Home / News / Software News / Microsoft finally fixes Windows flaw behind last week’s Google beef

Microsoft finally fixes Windows flaw behind last week’s Google beef

by

satya nadella

Microsoft has finally repaired the security flaw that led to a public spat with Google last week.

In a security bulletin issued today, Microsoft revealed that it had fixed a “critical” flaw that was being actively exploited by hackers.

“This security update resolves vulnerabilities in Microsoft Windows,” reads the bulletin. “The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system."

The issue first came to public attention after Google revealed it had uncovered the flaw on October 31. Google actually warned Microsoft about the flaw privately, telling the software giant that it knew the exploit was being used by nefarious parties. In a blog post, Neel Mehta and Billy Leonard, of Google’s Threat Analysis Group, wrote:

“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. The vulnerability is particularly serious because we know it is being actively exploited.”

It continued: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.”

Then, in a statement to VentureBeat, Microsoft revealed that it wasn’t happy with how Google handled the situation:

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

On November 1, Microsoft Windows and Devices boss Terry Myerson acknowledged that Microsoft had recently detected a “low-volume speaker phishing campaign” from an “activity” group it called STRONTIUM – though the group is widely known as ‘Fancy Bear’. The group, which Microsoft blamed for exploiting the flaw, has previously been linked to the Russian government, and is accused of being behind the recent US election hacks.

In a blog post, Myerson wrote: "STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organisations, as well as affiliated private sector organisations such as defence contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016."

Related: Best Laptops 2016

Watch: Laptop Buyer's Guide

What do you think of Google's approach to the flaw? Let us know in the comments.

David

November 9, 2016, 2:18 pm

As a consumer I want fixes tested with no unpleasant side effects as well as arriving quickly. Is 7 days enough for a product such as Windows? If not, the Googles 7 day target is not helpful and announces the attack method widely. Instead they could ask for evidence of fix progress if they are worried the advisory is not taken seriously.

Guinness1999

November 10, 2016, 12:08 pm

FINALLY! I guess 7 days to write and test code for an OS seems like a really long time for the writer. Why aren't you pressing Google to fix its Chrome vulnerabilities or its security issues in Android? Where's your Android article saying STILL NOT SECURE.

comments powered by Disqus