Microsoft Warns of Windows Zero-Day Flaw Exploited by Russian Hackers
Microsoft on Tuesday confirmed that the allegedly Russian hacking group Strontium has launched a spear phishing campaign to exploit a recently discovered flaw in Windows 10.
The recently disclosed flaw exploits Adobe Flash to elevate privilege on a machine so that a browser sandbox can be bypassed. Once through, an attacker can install a backdoor on a system.
"Based on the analysis performed by the Windows Defender ATP Exploit research team and the Microsoft Security Response Center (MSRC), the vulnerability in Adobe Flash leveraged by STRONTIUM was found to be a use-after-free issue affecting ActionScript runtime code," wrote Terry Myerson, executive vice president for the Windows and Devices group at Microsoft, in a blog post.
Microsoft said those running either Edge on the latest Windows 10 "Anniversary" update are protected from this flaw thanks to the increased sandbox protection capabilities. It is also working with Adobe to release a Windows patch for older versions of the OS sometime next week. On Adobe's end, the company said it had already patched the Flash flaw in its software.
Word that Strontium, the hacking group allegedly behind the recent U.S. Democratic e-mail hack and more 0-day exploit campaigns than any other group this year (according to Microsoft), was actively taking advantage of the unpatched flaw came just days after Google's Threat Analysis Group publicly disclosed the flaw on Monday.
In a security blog, Google described the flaw as "a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."
Microsoft criticized Google for disclosing the flaw to the public just a week after Google's security team alerted Microsoft engineers of the issue, citing it didn't provide adequate time for Microsoft to address the issue. "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," wrote Myerson. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."
According to Google, the disclosure of the flaw just seven days after alerting Microsoft was in line with its policy for alerting the public of actively exploited critical vulnerabilities, citing Microsoft not issuing an advisory as a major reason for Google's disclosure.
As Microsoft works on a fix, the company is recommending that those that can should upgrade to the latest version of Windows 10.