Yesterday, we reported that Google released the details of a critical Windows 10 vulnerability just ten days after telling Microsoft about it. Microsoft responded today with a TechNet blog post that was written by none other than the Executive Vice President of the Windows and Devices Group, Terry Myerson.
Myerson said that a group called STRONTIUM performed a spear-phishing attack, but before we go any further, users on the Windows 10 Anniversary Update using the Edge browser should already be protected from it. It used two zero-day vulnerabilities in Flash and the Windows kernel to do the following:
Exploit Flash to gain control of the browser process
Elevate privileges in order to escape the browser sandbox
Install a backdoor to provide access to the victim’s computer
But perhaps the most troublesome issue is that all versions of Windows from Vista through the Windows 10 November Update are vulnerable to these exploits. Microsoft says that it will be offering patches on November 8, which is this month's Patch Tuesday.
Businesses that have Windows Defender Advanced Threat Protection (ATP) should be safe as well. The company says that Defender ATP can "generically detect, without any signature, multiple stages of the attack such as the creation of uncommon DLL libraries on disk from the browser process, unexpected changes of process token and integrity levels (EoP), and the loading of recently created DLL libraries under abnormal process conditions".
Microsoft recently announced a number of new security features for Windows and Office 365 at its Ignite 2016 conference back in September. We inquired as to why some of these features - such as Defender ATP - aren't available in consumer versions of Windows, and we were told that consumers don't need the same level of security that enterprises do.
Myerson also wrote that Microsoft attributes more zero-day vulnerabilities to STRONTIUM than to any other organization this year. The group will often compromise a person's email address, and use it to send malicious content to a second victim, often pursuing them for months.
Microsoft said that Google reporting the vulnerability was "disappointing", and that it needlessly puts consumers at risk. Nevertheless, be sure to check for updates next Tuesday at 10 AM PT.