Microsoft Warns of Windows Zero-Day Flaw Exploited by Russian Hackers

Microsoft on Tuesday confirmed that the allegedly Russian hacking group Strontium has launched a spear phishing campaign to exploit a recently discovered flaw in Windows 10.

The recently disclosed flaw exploits Adobe Flash to elevate privilege on a machine so that a browser sandbox can be bypassed. Once through, an attacker can install a backdoor on a system.

"Based on the analysis performed by the Windows Defender ATP Exploit research team and the Microsoft Security Response Center (MSRC), the vulnerability in Adobe Flash leveraged by STRONTIUM was found to be a use-after-free issue affecting ActionScript runtime code," wrote Terry Myerson, executive vice president for the Windows and Devices group at Microsoft, in a blog post.

Microsoft said those running either Edge on the latest Windows 10 "Anniversary" update are protected from this flaw thanks to the increased sandbox protection capabilities. It is also working with Adobe to release a Windows patch for older versions of the OS sometime next week. On Adobe's end, the company said it had already patched the Flash flaw in its software.

Word that Strontium, the hacking group allegedly behind the recent U.S. Democratic e-mail hack and more 0-day exploit campaigns than any other group this year (according to Microsoft), was actively taking advantage of the unpatched flaw came just days after Google's Threat Analysis Group publicly disclosed the flaw on Monday.

In a security blog, Google described the flaw as "a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Microsoft criticized Google for disclosing the flaw to the public just a week after Google's security team alerted Microsoft engineers of the issue, citing it didn't provide adequate time for Microsoft to address the issue.  "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," wrote Myerson. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

According to Google, the  disclosure of the flaw just seven days after alerting Microsoft was in line with its policy for alerting the public of actively exploited critical vulnerabilities, citing Microsoft not issuing an advisory as a major reason for Google's disclosure.

As Microsoft works on a fix, the company is recommending that those that can should upgrade to the latest version of Windows 10.

About the Author

Chris Paoli is the site producer for and


  • Skytap on Azure Service Adds Options for Apps Running on IBM Systems

    Applications that use IBM Power processors in "on-premises" datacenters can now be moved to Microsoft Azure datacenters via a "Skytap on Azure" service, according to Thursday announcements by both Microsoft and Skytap.

  • Microsoft Didn't Remove the SMB1 Protocol from Windows

    Microsoft explained in a Wednesday announcement that it didn't actually remove Server Message Block 1 (SMB1) from Windows releases.

  • Exchange Online Users Get More Caveats on Basic Authentication's End in October

    Microsoft on Tuesday offered more details on its plans to end Basic Authentication in Exchange Online, which will cause pain for some organizations.

  • How To Install the Windows 10X Emulator

    Earlier this month, Microsoft released a public preview of Windows 10X, a spinoff of the Windows 10 operating system that's designed to run on the forthcoming multiscreen Surface devices. Here's how to take it out for a spin.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.