Google Discloses Microsoft's 'Unpatched Actively Exploited' Bugs, Used by Russian Hackers?

Last updated: July 5, 2023 Reading time: minutes
Disclosure
Share

Google disclosed Microsoft’s windows zero-day vulnerability. Microsoft doesn’t seem happy about it. Reports are the vulnerability is used by Russian hackers. When the fix will be available? Read More…

Google publicly disclosed Microsoft Windows zero-day vulnerability after Microsoft failed to patch it within the 7-day deadline given by the tech giant when it found the flaw that is in the wild.

Google researchers recently discovered a critical zero-day flaw in Windows that its kernel is compromised by a ‘local privilege escalation’ vulnerability that allows attackers to bypass the sandbox mechanism of Microsoft Windows to gain administrator-level access and execute malicious code.

Google said in its blog post on Monday, “[The Windows vulnerability] can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability.”

Windows zero-day exploit isn’t fixed yet!

“We are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released.” wrote Billy Leonard and Neil Mehta of Google’s Threat Analysis Group. “This vulnerability is particularly serious because we know it is being actively exploited.”

Google has the policy to give companies 90 days timeframe to patch vulnerabilities that are found by its researchers, but vendors are advised to either develop fixes or provide a workaround within 60 days if the flaw is of critical nature. However, if a security hole is being exploited at large, vendors are given only 7 days to take immediate actions.

On October 21st, Google informed Adobe and Microsoft of Flash Player and Windows vulnerabilities that are being exploited in the wind. Adobe managed to patch its Flash Player after a few days, but Microsoft hasn’t released a fix or an advisory note.

Terry Myerson, Executive VP of Microsoft’s Windows and devices, seemed disappointed by the Google’s disclosure before Microsoft could release a fix. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” wrote Myerson.

Google said it had a responsibility “to protect users” because the vulnerability is actively being exploited by attackers to compromise people’s systems.

In the latter case of Adobe, Google discovered and informed Adobe that malicious actors had been exploiting (CVE-201607855) a use-after-free vulnerability in targeted attacks aimed at users running Microsoft Windows 7, 8.1 and 10.

This is not the first. Google has a strict disclosure policy and has a history of disclosing Windows vulnerabilities before Microsoft could patch it. In Q1’2015, Google Project Zero published details of vulnerabilities after 90-day deadline period. At the time, Google made some changes in its disclosure policy after facing criticism from members of the industry.

Who exploited the vulnerability?

“Strontium,” as called by the Microsoft’s threat intelligence team, but known by many with other names including “Fancy Bear,” “APT28,” or “Sofacy.” Many cyber security experts link this group to the Russian government or more specifically, foreign intelligence agency the GRU, according to the Fortune.

Who’s protected?

Microsoft in its blog post has said, Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild.”

When will the fix be available?

Microsoft says, “We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.”

Share this article

About the Author

Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.

More from Peter Buttler

Related Posts