Microsoft Corp. announced Tuesday that a group of hackers previously associated with the Russian government and U.S. political hacks is exploiting a security flaw in Windows operating system. The company did not mention the victims of the attack and said it would release a patch to protect Windows users against it on Nov. 8, as reported by Reuters. The group “Fancy Bear” has been identified as the attacker.

Google revealed Monday details of a bug in Microsoft’s Windows software that it describes as critical enough to affect users as hackers could be exploiting the security flaw right now. The search giant had given Microsoft seven days to fix that bug, but Microsoft claimed it disagrees with the alert, which was notified Oct. 21 and Google decided to go public with the bug after Microsoft refused to issue a fix.

Microsoft
“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” a Microsoft spokeswoman told the BBC. Image credit: Staticworld.

Microsoft said users are safe as long as they have installed the latest Adobe Flash Player update the firm released last week, according to the BBC. Moreover, Microsoft’s analysis have shown that the bug never affected the Windows 10 Anniversary Update due to improved security.

Google said it found “zero-day” bugs in Adobe and Microsoft software. This bug implies unique vulnerabilities that have never been seen before.

Security researcher Katie Mourrouris and chief executive officer of Luta Security, told CNN Money that hackers could control the entire system by using the bug and conducting a larger attack. The security flaw involves Win32k.sys, a file used by Windows to display graphics. If users delete or alter this file, system errors can be triggered, and this could lead to the so-called “blue screen of death,” as reported by the BBC.

CNN reports Google as saying that hackers can exploit the file to cause a “security sandbox escape,” which means that other unrelated computer functions could be affected once Win32k.sys is compromised. The company recommends users to use its Chrome web browser only to avoid exposure to the security flaw. This browser is not affected by the bug.

Mourrouris’ advice is to make sure automatic updates are turned on for Windows, Flash, and Antivirus to prevent hackers from exploiting the bug.

Microsoft is not happy with Google’s policy

Google operates a 2013 policy of giving developers a 60-day deadline to fix a security flaw it has detected unless it doesn’t believe others are actively using it. If the company identifies that anyone else is making use of it, it gives only seven days.

The search firm has admitted that the timeline was aggressive and might be too short to come up with a fix but pointed out that it should be enough time to issue recommendations about “possible mitigations,” according to the BBC.

“By holding ourselves to the same standard, we hope to improve both the state of web security and the co-ordination of vulnerability management,” Google stated, as quoted by the BBC.

On the other hand, Microsoft argued the alert was more harmful than useful given that more time is required to develop a patch. A Microsoft spokesperson told VentureBeat that it supported “coordinated vulnerability disclosure” and that the alert Google issued by itself potentially increased the risk customers are exposed to. Microsoft called Google’s actions disappointing.

Fancy Bear’s link to attackers of Democratic Party database and emails

In an advisory issued Tuesday on its website, Microsoft revealed that “spear phishing” emails were being used by a hacking group called Strontium to conduct a few attacks. The group is also known as “Fancy Bear” and APT 28, as Reuters reported.

Fancy Bear usually works for or on behalf of Russia’s military intelligence agency or GRU, which are also behind hacks of Democratic Party database and emails, as a U.S. intelligence expert on Russian cyber activity told Reuters.

DNC-2016-Phil
Leah Daughtry, CEO of the Democratic National Convention Committee, walks onto the stage at the Wells Fargo Center in Philadelphia. Credit: AP/ Dake Kang.

Source: BBC