Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Microsoft finally fixes Windows flaw behind last week’s Google beef

Microsoft has finally repaired the security flaw that led to a public spat with Google last week.

In a security bulletin issued today, Microsoft revealed that it had fixed a “critical” flaw that was being actively exploited by hackers.

“This security update resolves vulnerabilities in Microsoft Windows,” reads the bulletin. “The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.”

The issue first came to public attention after Google revealed it had uncovered the flaw on October 31. Google actually warned Microsoft about the flaw privately, telling the software giant that it knew the exploit was being used by nefarious parties. In a blog post, Neel Mehta and Billy Leonard, of Google’s Threat Analysis Group, wrote:

“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. The vulnerability is particularly serious because we know it is being actively exploited.”

It continued: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.”

Then, in a statement to VentureBeat, Microsoft revealed that it wasn’t happy with how Google handled the situation:

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

On November 1, Microsoft Windows and Devices boss Terry Myerson acknowledged that Microsoft had recently detected a “low-volume speaker phishing campaign” from an “activity” group it called STRONTIUM – though the group is widely known as ‘Fancy Bear’. The group, which Microsoft blamed for exploiting the flaw, has previously been linked to the Russian government, and is accused of being behind the recent US election hacks.

In a blog post, Myerson wrote: “STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organisations, as well as affiliated private sector organisations such as defence contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016.”

Related: Best Laptops 2016

Watch: Laptop Buyer’s Guide

What do you think of Google’s approach to the flaw? Let us know in the comments.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.