Evidence is mounting up that the Windows Kernel has a severe vulnerability that is already being exploited by hackers. Microsoft claims the bug is now being actively exploited by the Russian hacking group – ‘Strontium’.
BetaNews has explained that the group have also gone under various other names too – widely known as ‘Fancy Bear’. This is the same group previously cited as a ‘Russian state actor’, indicating some kind of approval from Russian’s administration. Whether blessed by the Russian authorities or not, the attacks have involved targeting spear phishing against a subset of Windows users. Microsoft have not provided the details of who makes up the group, which doesn’t do very much to comfort potentially affected users!
But are Microsoft solely to blame? Should they have fixed this exploit much earlier?
At the end of October, Google, in accordance to their disclosure timeline for ‘active vulnerabilities’ with Microsoft, the cooperate giant has publicly detailed a list of vulnerabilities detected in both Adobe’s Flash and Microsoft’s Windows platform. This came after a week of internal discussion with both companies. Microsoft had not yet released a broad fix to this issue, however, they did say in a statement that one was currently being internally tested. This is to be rolled out to all relevant Windows platforms on November 8.
Microsoft are not happy that Google released their statement on the vulnerability before they could address the issue.
Microsoft have claimed that by Google releasing the vulnerability they have breached data publicly before it was ready. According to Terry Myerson (executive vice president of Windows and Devices Group ) he believes responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. He went on to say: “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,”
Mountain View’s move “puts customers at potential risk” since more people now know that there’s a new vulnerability they can exploit: They also made a public statement saying ”We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk” Windows is arguably the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.
Despite criticism Google maintains that it gave Microsoft plenty of time to respond to the news. Neel Mehta and Billy Leonard of Google’s Threat Analysis Group reports submitting a warning to both Adobe and Microsoft over zero-day vulnerabilities discovered in Adobe Flash and Windows.
The report was provided to both companies on October 21 and Adobe immediately responded on October 26 with an update to Flash. So are Microsoft to blame, should they have addressed the vulnerability earlier? After all, are customers not entitled to be aware that the software they are using has vulnerabilities? Perhaps it is consumers who should take more responsibility for their computers to be up to date.
The real problem is, according to Google, that unpatched Windows flaw is “being actively exploited.”
In Microsoft’s defense VentureBeat have defended Microsoft, and have said it’s a lot easier to come up with a fix for Flash than for a full operating system. Ten days might not have been enough time at all for Microsoft to address the problem. Redmond’s statement to VB echoes the one it issued way back 2015 when Google exposed another flaw a bit too soon.
In spite of this Google have said they reported the vulnerabilities because of the company’s existing policy for actively exploited critical vulnerabilities. The policy states that Google will disclose any vulnerabilities merely seven days after reporting it to the developer.
What can you do as a consumer to avoid the errors?
Microsoft clarified to VB, though, that the Flash bug is needed in order to exploit the Windows flaw. So make sure to update Flash if you haven’t done so in the past few weeks while waiting for Microsoft to release a patch. Microsoft have recommended customers use Windows 10 and the Microsoft Edge browser for the best protection.
Although Microsoft didn’t state as such, customers who use the Chrome browser should not see a problem either, as its “sandbox” capability blocks calls to a core Windows component (win32k.sys) by taking advantage of a lockdown feature built into Windows. This will prevent hackers from using the newly discovered vulnerability to escape the browser’s sandbox environment.
For any computer geeks who would like to know more about what has caused the vulnerability: The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”