Microsoft patches 'critical vulnerability' in Windows

The patch fixes a flaw that allowed hackers to elevate security privileges and install backdoors

Microsoft has released the promised Election Day patch to fix a critical vulnerability in Windows, which allowed hackers to take full control of user systems.

The update, released on Tuesday, fixes a flaw in the Windows kernel, which "could allow elevation of privilege if an attack logs onto an affected system and runs a specially crafted application that could exploit the vulnerabilities," according to a Microsoft security bulletin. Once a hacker was able to get past the security, a backdoor could be installed for easier access.

Rated as 'important', the update designated 'MS16-135' has been rolled out across Windows Vista, 7, 8.1 and 10 operating systems, as well as Windows Server versions running from 2008 to 2016. 

Google first reported the discovery of a 'critical vulnerability' in Windows to Microsoft last month, the details of which were made public on the 1 November. Microsoft claimed that publically disclosing the vulnerability before a patch could be made available put customers at "potential risk".

Advertisement
Advertisement - Article continues below

Customers using Microsoft Edge on Windows 10 Anniversary Update were considered protected from the phishing scam, according to Microsoft. Similarly users who have Windows Defender Advanced Threat Protection enabled should also be immune to attacks, as the software is able to recognise security breach attempts.

Microsoft recommends all users update to Tuesday's security patch, which is available through the Windows Update tool.

02/11/2016: A Russian hacking group has been exploiting a recently discovered Windows vulnerability through a series of phishing attacks, according to a statement by Microsoft on Tuesday.

Microsoft has blamed a small number of attacks using 'spear phishing emails' on a hacking group known to the company as 'Strontium', widely known as 'Fancy Bear'.

The news comes following the discovery of a critical vulnerability by Google Threat Analysis Group on the 26th October, affecting Adobe Flash and Windows operating systems.

Adobe released an update to the zero-day vulnerability designated 'CVE-2016-7855', a user-after-free memory flaw that allowed hackers to gain full remote access to a user's system.

Microsoft has yet to release a patch to fix the flaw still present in Windows, which allows malicious code to 'escape' the Windows' sandbox and raise security privileges. Once sufficient privileges are granted, a backdoor can then be installed.

The recently identified phishing scam exploited the vulnerability by duping users into clicking malicious email links or attachments, according to Microsoft.

"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," said Terry Myerson, executive vice president of Windows Group, in a blog post.

"Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on Tuesday, Nov 8," added Myerson.

Advertisement
Advertisement - Article continues below

The 'Fancy Bear' group is believed to be behind the attacks, which has also been linked to the recent US Presidential election hack that resulted in a breach of data from the Democratic National Committee. It is unclear whether the same vulnerability was exploited in the data breach.

Although Russia has always denied involvement, US Intelligence experts have suggested that 'Fancy Bear' works primarily for the Russian Military Intelligence Agency, the GRU, according to Reuters.

Microsoft has again scolded Google over their disclosure of the critical vulnerability, arguing that releasing information about vulnerabilities before patches are available "puts customers at increased risk."

Users who have Windows Defender Advanced Threat Protection enabled should be immune to these attacks, according to Microsoft, as it should spot attempted hacks. An update to fix the flaw will be available on the 8th November, Election Day, according to Microsoft.

01/11/2016: Google: hackers still exploiting Windows 'critical' flaw

Google has warned that a zero-day vulnerability still exists in Windows, despite it being almost a week since Microsoft was first notified of the problem.

The critical vulnerability was reported by Google's Threat Analysis Group on the 26th October, affecting Adobe Flash software and Windows 7, 8.1 and 10 operating systems.

Adobe has since released an emergency patch to deal with the vulnerability designated 'CVE-2016-7855', which allowed users to exploit a use-after-free memory flaw to gain full remote access to a user's system.

Microsoft has yet to release an emergency patch to deal with remaining bugs that hackers are still exploiting, according to a Google security blog post.

"After seven days, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released," said Neel Mehta and Billy Leonard, Google Threat Analysis Group researchers and original discoverers of the flaw.

Advertisement
Advertisement - Article continues below

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This vulnerability is particularly serious because we know it is being actively exploited," the researchers added.

IT Pro has approached Microsoft for clarification about plans to address the vulnerability but has yet to receive a reply. However, the company does seem annoyed by the post.

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," said Microsoft in an email to VentureBeat on Monday.

Google would typically give a company 60 days to respond to a disclosure report, but following guidelines produced in 2013, any vulnerability considered 'under active attack' should be resolved within seven days.

"We encourage users to verify that auto-updates have already updated Flash - and to manually update if not - and to apply Windows patches from Microsoft when they become available for the Windows vulnerability," said Google. 

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/laptops/34636/microsoft-surface-laptop-3-hands-on-review-powerfully-tempting
Laptops

Microsoft Surface Laptop 3 13in review: Almost the perfect laptop

6 Dec 2019
Visit/hardware/laptops/354275/microsoft-surface-laptop-3-15in-review-ryzen-falls
Laptops

Microsoft Surface Laptop 3 15in review: Ryzen falls

4 Dec 2019
Visit/cloud/354231/the-it-pro-podcast-is-the-future-multi-cloud
Cloud

The IT Pro Podcast: Is the future multi-cloud?

29 Nov 2019
Visit/business/business-strategy/354204/google-accused-of-union-busting
Business strategy

Google accused of ‘union busting’

26 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019