Microsoft patches 'critical vulnerability' in Windows

The patch fixes a flaw that allowed hackers to elevate security privileges and install backdoors

Microsoft has released the promised Election Day patch to fix a critical vulnerability in Windows, which allowed hackers to take full control of user systems.

The update, released on Tuesday, fixes a flaw in the Windows kernel, which "could allow elevation of privilege if an attack logs onto an affected system and runs a specially crafted application that could exploit the vulnerabilities," according to a Microsoft security bulletin. Once a hacker was able to get past the security, a backdoor could be installed for easier access.

Advertisement - Article continues below

Rated as 'important', the update designated 'MS16-135' has been rolled out across Windows Vista, 7, 8.1 and 10 operating systems, as well as Windows Server versions running from 2008 to 2016. 

Google first reported the discovery of a 'critical vulnerability' in Windows to Microsoft last month, the details of which were made public on the 1 November. Microsoft claimed that publically disclosing the vulnerability before a patch could be made available put customers at "potential risk".

Customers using Microsoft Edge on Windows 10 Anniversary Update were considered protected from the phishing scam, according to Microsoft. Similarly users who have Windows Defender Advanced Threat Protection enabled should also be immune to attacks, as the software is able to recognise security breach attempts.

Advertisement - Article continues below

Microsoft recommends all users update to Tuesday's security patch, which is available through the Windows Update tool.

02/11/2016: A Russian hacking group has been exploiting a recently discovered Windows vulnerability through a series of phishing attacks, according to a statement by Microsoft on Tuesday.

Advertisement - Article continues below

Microsoft has blamed a small number of attacks using 'spear phishing emails' on a hacking group known to the company as 'Strontium', widely known as 'Fancy Bear'.

The news comes following the discovery of a critical vulnerability by Google Threat Analysis Group on the 26th October, affecting Adobe Flash and Windows operating systems.

Adobe released an update to the zero-day vulnerability designated 'CVE-2016-7855', a user-after-free memory flaw that allowed hackers to gain full remote access to a user's system.

Microsoft has yet to release a patch to fix the flaw still present in Windows, which allows malicious code to 'escape' the Windows' sandbox and raise security privileges. Once sufficient privileges are granted, a backdoor can then be installed.

The recently identified phishing scam exploited the vulnerability by duping users into clicking malicious email links or attachments, according to Microsoft.

"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," said Terry Myerson, executive vice president of Windows Group, in a blog post.

Advertisement - Article continues below

"Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on Tuesday, Nov 8," added Myerson.

The 'Fancy Bear' group is believed to be behind the attacks, which has also been linked to the recent US Presidential election hack that resulted in a breach of data from the Democratic National Committee. It is unclear whether the same vulnerability was exploited in the data breach.

Although Russia has always denied involvement, US Intelligence experts have suggested that 'Fancy Bear' works primarily for the Russian Military Intelligence Agency, the GRU, according to Reuters.

Advertisement - Article continues below

Microsoft has again scolded Google over their disclosure of the critical vulnerability, arguing that releasing information about vulnerabilities before patches are available "puts customers at increased risk."

Users who have Windows Defender Advanced Threat Protection enabled should be immune to these attacks, according to Microsoft, as it should spot attempted hacks. An update to fix the flaw will be available on the 8th November, Election Day, according to Microsoft.

Advertisement - Article continues below

01/11/2016: Google: hackers still exploiting Windows 'critical' flaw

Google has warned that a zero-day vulnerability still exists in Windows, despite it being almost a week since Microsoft was first notified of the problem.

The critical vulnerability was reported by Google's Threat Analysis Group on the 26th October, affecting Adobe Flash software and Windows 7, 8.1 and 10 operating systems.

Adobe has since released an emergency patch to deal with the vulnerability designated 'CVE-2016-7855', which allowed users to exploit a use-after-free memory flaw to gain full remote access to a user's system.

Microsoft has yet to release an emergency patch to deal with remaining bugs that hackers are still exploiting, according to a Google security blog post.

"After seven days, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," said Neel Mehta and Billy Leonard, Google Threat Analysis Group researchers and original discoverers of the flaw.

Advertisement - Article continues below

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This vulnerability is particularly serious because we know it is being actively exploited," the researchers added.

IT Pro has approached Microsoft for clarification about plans to address the vulnerability but has yet to receive a reply. However, the company does seem annoyed by the post.

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," said Microsoft in an email to VentureBeat on Monday.

Google would typically give a company 60 days to respond to a disclosure report, but following guidelines produced in 2013, any vulnerability considered 'under active attack' should be resolved within seven days.

"We encourage users to verify that auto-updates have already updated Flash - and to manually update if not - and to apply Windows patches from Microsoft when they become available for the Windows vulnerability," said Google. 

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Google Maps is testing traffic lights

9 Jul 2020
email providers

How to share your Google Calendar

8 Jul 2020
web browser

Don't like Chromium Edge? Here's how to revive the old Edge

7 Jul 2020
web browser

Google Chrome 86 update could add 28% to your battery life

6 Jul 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020