Microsoft patches 'critical vulnerability' in Windows

Locks on a screen with one open and in red

Microsoft has released the promised Election Day patch to fix a critical vulnerability in Windows, which allowed hackers to take full control of user systems.

The update, released on Tuesday, fixes a flaw in the Windows kernel, which "could allow elevation of privilege if an attack logs onto an affected system and runs a specially crafted application that could exploit the vulnerabilities," according to a Microsoft security bulletin. Once a hacker was able to get past the security, a backdoor could be installed for easier access.

Rated as 'important', the update designated 'MS16-135' has been rolled out across Windows Vista, 7, 8.1 and 10 operating systems, as well as Windows Server versions running from 2008 to 2016.

Google first reported the discovery of a 'critical vulnerability' in Windows to Microsoft last month, the details of which were made public on the 1 November. Microsoft claimed that publically disclosing the vulnerability before a patch could be made available put customers at "potential risk".

Customers using Microsoft Edge on Windows 10 Anniversary Update were considered protected from the phishing scam, according to Microsoft. Similarly users who have Windows Defender Advanced Threat Protection enabled should also be immune to attacks, as the software is able to recognise security breach attempts.

Microsoft recommends all users update to Tuesday's security patch, which is available through the Windows Update tool.

02/11/2016: A Russian hacking group has been exploiting a recently discovered Windows vulnerability through a series of phishing attacks, according to a statement by Microsoft on Tuesday.

Microsoft has blamed a small number of attacks using 'spear phishing emails' on a hacking group known to the company as 'Strontium', widely known as 'Fancy Bear'.

The news comes following the discovery of a critical vulnerability by Google Threat Analysis Group on the 26th October, affecting Adobe Flash and Windows operating systems.

Adobe released an update to the zero-day vulnerability designated 'CVE-2016-7855', a user-after-free memory flaw that allowed hackers to gain full remote access to a user's system.

Microsoft has yet to release a patch to fix the flaw still present in Windows, which allows malicious code to 'escape' the Windows' sandbox and raise security privileges. Once sufficient privileges are granted, a backdoor can then be installed.

The recently identified phishing scam exploited the vulnerability by duping users into clicking malicious email links or attachments, according to Microsoft.

"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," said Terry Myerson, executive vice president of Windows Group, in a blog post.

"Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on Tuesday, Nov 8," added Myerson.

The 'Fancy Bear' group is believed to be behind the attacks, which has also been linked to the recent US Presidential election hack that resulted in a breach of data from the Democratic National Committee. It is unclear whether the same vulnerability was exploited in the data breach.

Although Russia has always denied involvement, US Intelligence experts have suggested that 'Fancy Bear' works primarily for the Russian Military Intelligence Agency, the GRU, according to Reuters.

Microsoft has again scolded Google over their disclosure of the critical vulnerability, arguing that releasing information about vulnerabilities before patches are available "puts customers at increased risk."

Users who have Windows Defender Advanced Threat Protection enabled should be immune to these attacks, according to Microsoft, as it should spot attempted hacks. An update to fix the flaw will be available on the 8th November, Election Day, according to Microsoft.

01/11/2016: Google: hackers still exploiting Windows 'critical' flaw

Google has warned that a zero-day vulnerability still exists in Windows, despite it being almost a week since Microsoft was first notified of the problem.

The critical vulnerability was reported by Google's Threat Analysis Group on the 26th October, affecting Adobe Flash software and Windows 7, 8.1 and 10 operating systems.

Adobe has since released an emergency patch to deal with the vulnerability designated 'CVE-2016-7855', which allowed users to exploit a use-after-free memory flaw to gain full remote access to a user's system.

Microsoft has yet to release an emergency patch to deal with remaining bugs that hackers are still exploiting, according to a Google security blog post.

"After seven days, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," said Neel Mehta and Billy Leonard, Google Threat Analysis Group researchers and original discoverers of the flaw.

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This vulnerability is particularly serious because we know it is being actively exploited," the researchers added.

IT Pro has approached Microsoft for clarification about plans to address the vulnerability but has yet to receive a reply. However, the company does seem annoyed by the post.

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," said Microsoft in an email to VentureBeat on Monday.

Google would typically give a company 60 days to respond to a disclosure report, but following guidelines produced in 2013, any vulnerability considered 'under active attack' should be resolved within seven days.

"We encourage users to verify that auto-updates have already updated Flash - and to manually update if not - and to apply Windows patches from Microsoft when they become available for the Windows vulnerability," said Google.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.