Microsoft blames Russian hackers for ‘critical’ Windows exploit – after Google exposed it

Update: Microsoft has blamed STRONTIUM, a hacker group with alleged links to the Russian government, for the recent cyber attacks revealed by Google as a “critical vulnerability” in Windows.

In a blog post dated November 1, Microsoft Windows and Devices Group Executive Vice President Terry Myerson acknowledged that Microsoft had recently detected a “low-volume spear phishing campaign” from an “activity” group it calls STRONTIUM, though the group is also widely known as ‘Fancy Bear’.

The group has previously been linked to the Russian government and accused of being behind the recent US election hacks.

Myerson writes:

“STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016.”

Microsoft also issued an official guidance, recommending that potentially affected users upgrade to the latest version of Windows 10 immediately, enable Windows Defender Advanced Threat Protection, and wait for a patch to be issued on its next ‘Patch Tuesday’, which is set for November 8.

‘Critical’ Windows bug revealed by Google – what’s the story?

On October 21, Google warned Microsoft privately about a major security flaw in Windows that was already being exploited by hackers. Then, just 10 days later, Google went live to the public with the flaw. Unfortunately, when Google published its findings in detail, Microsoft still hadn’t fixed the issue, which potentially left Windows users more exposed than they had been before.

“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” reads a blog post written by Neel Mehta and Billy Leonard, of Google’s Threat Analysis Group. “The vulnerability is particularly serious because we know it is being actively exploited.”

It continued: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.”

But in a statement to VentureBeat, Microsoft revealed it wasn’t too chuffed with Google going public about the flaw. It reads:

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

So what should you do to stay safe? Well, it appears that the vulnerability can be traced to a flaw in Adobe Flash, which has since been patched by Adobe. But Google still recommends that if you’re using an auto-updater for Flash, you should verify whether or not you have the latest version. And it also recommends that you immediately apply any Windows patches from Microsoft “when they become available for the Windows vulnerability”.

Related: Microsoft Surface Studio features

Watch: Microsoft Surface Studio – First Look

Do you think Google’s controversial strategy of exposing security flaws just seven days after privately disclosing them is right or wrong? Let us know in the comments.