Microsoft patches 'critical vulnerability' in Windows

The patch fixes a flaw that allowed hackers to elevate security privileges and install backdoors

Microsoft has released the promised Election Day patch to fix a critical vulnerability in Windows, which allowed hackers to take full control of user systems.

The update, released on Tuesday, fixes a flaw in the Windows kernel, which "could allow elevation of privilege if an attack logs onto an affected system and runs a specially crafted application that could exploit the vulnerabilities," according to a Microsoft security bulletin. Once a hacker was able to get past the security, a backdoor could be installed for easier access.

Advertisement - Article continues below

Rated as 'important', the update designated 'MS16-135' has been rolled out across Windows Vista, 7, 8.1 and 10 operating systems, as well as Windows Server versions running from 2008 to 2016. 

Google first reported the discovery of a 'critical vulnerability' in Windows to Microsoft last month, the details of which were made public on the 1 November. Microsoft claimed that publically disclosing the vulnerability before a patch could be made available put customers at "potential risk".

Customers using Microsoft Edge on Windows 10 Anniversary Update were considered protected from the phishing scam, according to Microsoft. Similarly users who have Windows Defender Advanced Threat Protection enabled should also be immune to attacks, as the software is able to recognise security breach attempts.

Advertisement - Article continues below

Microsoft recommends all users update to Tuesday's security patch, which is available through the Windows Update tool.

02/11/2016: A Russian hacking group has been exploiting a recently discovered Windows vulnerability through a series of phishing attacks, according to a statement by Microsoft on Tuesday.

Advertisement - Article continues below

Microsoft has blamed a small number of attacks using 'spear phishing emails' on a hacking group known to the company as 'Strontium', widely known as 'Fancy Bear'.

The news comes following the discovery of a critical vulnerability by Google Threat Analysis Group on the 26th October, affecting Adobe Flash and Windows operating systems.

Adobe released an update to the zero-day vulnerability designated 'CVE-2016-7855', a user-after-free memory flaw that allowed hackers to gain full remote access to a user's system.

Microsoft has yet to release a patch to fix the flaw still present in Windows, which allows malicious code to 'escape' the Windows' sandbox and raise security privileges. Once sufficient privileges are granted, a backdoor can then be installed.

The recently identified phishing scam exploited the vulnerability by duping users into clicking malicious email links or attachments, according to Microsoft.

"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," said Terry Myerson, executive vice president of Windows Group, in a blog post.

Advertisement - Article continues below

"Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on Tuesday, Nov 8," added Myerson.

The 'Fancy Bear' group is believed to be behind the attacks, which has also been linked to the recent US Presidential election hack that resulted in a breach of data from the Democratic National Committee. It is unclear whether the same vulnerability was exploited in the data breach.

Although Russia has always denied involvement, US Intelligence experts have suggested that 'Fancy Bear' works primarily for the Russian Military Intelligence Agency, the GRU, according to Reuters.

Advertisement - Article continues below

Microsoft has again scolded Google over their disclosure of the critical vulnerability, arguing that releasing information about vulnerabilities before patches are available "puts customers at increased risk."

Users who have Windows Defender Advanced Threat Protection enabled should be immune to these attacks, according to Microsoft, as it should spot attempted hacks. An update to fix the flaw will be available on the 8th November, Election Day, according to Microsoft.

Advertisement - Article continues below

01/11/2016: Google: hackers still exploiting Windows 'critical' flaw

Google has warned that a zero-day vulnerability still exists in Windows, despite it being almost a week since Microsoft was first notified of the problem.

The critical vulnerability was reported by Google's Threat Analysis Group on the 26th October, affecting Adobe Flash software and Windows 7, 8.1 and 10 operating systems.

Adobe has since released an emergency patch to deal with the vulnerability designated 'CVE-2016-7855', which allowed users to exploit a use-after-free memory flaw to gain full remote access to a user's system.

Microsoft has yet to release an emergency patch to deal with remaining bugs that hackers are still exploiting, according to a Google security blog post.

"After seven days, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," said Neel Mehta and Billy Leonard, Google Threat Analysis Group researchers and original discoverers of the flaw.

Advertisement - Article continues below

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This vulnerability is particularly serious because we know it is being actively exploited," the researchers added.

IT Pro has approached Microsoft for clarification about plans to address the vulnerability but has yet to receive a reply. However, the company does seem annoyed by the post.

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," said Microsoft in an email to VentureBeat on Monday.

Google would typically give a company 60 days to respond to a disclosure report, but following guidelines produced in 2013, any vulnerability considered 'under active attack' should be resolved within seven days.

"We encourage users to verify that auto-updates have already updated Flash - and to manually update if not - and to apply Windows patches from Microsoft when they become available for the Windows vulnerability," said Google. 

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


operating systems

How to get help in Windows 10

30 Mar 2020
Business operations

Amazon and Microsoft join NHS project battling pandemic

27 Mar 2020
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020
backup software

Windows File History and Backup review: Useful but limited

25 Mar 2020

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020