Russian hackers believed to be behind the Democratic National Committee hack have already exploited the latest Windows bug. The security issue was discovered by Google’s security team and revealed to the world (including the Russian hackers) on October 31st. Google did notify Microsoft of the security problem but only gave the Microsoft team seven days before revealing it publicly. Generally security teams give each other notice (and ample time to fix the problem) of any security issues with their software so they can fix the problem before informing the public. Google has garnered heavy criticism for releasing the security issue before Microsoft had a chance to patch it. Microsoft is projecting a November 8th patch for the problem but the damage is already been done.
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
“We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows,” Myerson wrote. “Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.”
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” Myerson wrote. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
For now everyone will have to hang tight until election day for Microsoft to release the fix, you’ll just have to remember to update as soon as you receive notification. What do you think of Google’s choice to release the flaw before Microsoft had a chance to properly fix it? Let us know in the comments below or on Twitter, Facebook and Google+.