Microsoft scrambling to close gaping hole in Windows

Patch is currently being worked on, should be released next week

Yesterday, we reported on a critical zero-day Windows vulnerability which is being actively exploited, and Microsoft has now given further details on this flaw (which was first revealed by Google) and assured users that it will be patched next week.

According to Terry Myerson, Executive VP, Windows and Devices Group at Microsoft, the company has coordinated efforts with Google and Adobe (there was also a Flash vulnerability highlighted) to concoct a patch for all versions of Windows.

This patch is now being tested, and will be rolled out next Tuesday, November 8.

As we noted yesterday, Microsoft wasn’t happy with Google’s public disclosure of the issue before a fix was implemented, and Myerson said: “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”

Strontium dogs

Apparently the flaw has been actively used in a small-scale spear phishing campaign by a group called Strontium – more commonly known as ‘Fancy Bear’ these days, an organisation responsible for some high-profile hacks in the US targeting the likes of government agencies and other authorities.

Microsoft also took the time to clarify that those using the Edge browser with Windows 10 Anniversary Update are protected from the current strains of this attack spotted in the wild.

Yesterday, Google also noted that those running Chrome on Windows 10 were similarly protected.

The flaw itself was described by Google as a “local privilege escalation in the Windows kernel that can be used as a security sandbox escape”, meaning it allows an attacker to get around the system’s security sandbox in order to execute malicious code on the target machine.

Via: ZDNet