Microsoft fixes Google-divulged Windows vulnerability
Microsoft has patched a Windows vulnerability that was disclosed by researchers from Alphabet Inc.’s Google.
In one of several security updates — 14 to be exact — Microsoft fixed the bug in the Windows kernel drivers that Google security engineers had revealed on 31 October, 10 days after notifying Microsoft of the vulnerability.
Microsoft credited Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for reporting the flaw. Recently, the two said that because the vulnerability was being actively exploited, a disclose-within-seven-days policy applied.
Microsoft’s top Windows executive, Terry Myerson, castigated Google for the move. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Myerson wrote in a 1 November post.
Myerson claimed that the attacks in circulation were being conducted by a Russian group that previously was linked to a hack of the US Democratic National Committee (DNC). The gang, which Microsoft dubbed Strontium, has been responsible since at least 2007 for very targeted attacks against governments, militaries and diplomats around the globe.
Microsoft also asserted that, while the latest Windows 10 upgrade, the summer’s Anniversary Update, contained the flaw, an anti-exploit defence had been added to that edition prior to the attacks coming to light. “These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit,” Myerson said.
Redmond has patched the kernel drivers bug in Windows 10, as well as in Vista, Windows 7 and Windows 8.1.
IDG News Service