Microsoft Warns of Windows Zero-Day Flaw Exploited by Russian Hackers

Microsoft on Tuesday confirmed that the allegedly Russian hacking group Strontium has launched a spear phishing campaign to exploit a recently discovered flaw in Windows 10.

The recently disclosed flaw exploits Adobe Flash to elevate privilege on a machine so that a browser sandbox can be bypassed. Once through, an attacker can install a backdoor on a system.

"Based on the analysis performed by the Windows Defender ATP Exploit research team and the Microsoft Security Response Center (MSRC), the vulnerability in Adobe Flash leveraged by STRONTIUM was found to be a use-after-free issue affecting ActionScript runtime code," wrote Terry Myerson, executive vice president for the Windows and Devices group at Microsoft, in a blog post.

Microsoft said those running either Edge on the latest Windows 10 "Anniversary" update are protected from this flaw thanks to the increased sandbox protection capabilities. It is also working with Adobe to release a Windows patch for older versions of the OS sometime next week. On Adobe's end, the company said it had already patched the Flash flaw in its software.

Word that Strontium, the hacking group allegedly behind the recent U.S. Democratic e-mail hack and more 0-day exploit campaigns than any other group this year (according to Microsoft), was actively taking advantage of the unpatched flaw came just days after Google's Threat Analysis Group publicly disclosed the flaw on Monday.

In a security blog, Google described the flaw as "a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

Microsoft criticized Google for disclosing the flaw to the public just a week after Google's security team alerted Microsoft engineers of the issue, citing it didn't provide adequate time for Microsoft to address the issue.  "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," wrote Myerson. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

According to Google, the  disclosure of the flaw just seven days after alerting Microsoft was in line with its policy for alerting the public of actively exploited critical vulnerabilities, citing Microsoft not issuing an advisory as a major reason for Google's disclosure.

As Microsoft works on a fix, the company is recommending that those that can should upgrade to the latest version of Windows 10.

About the Author

Chris Paoli is the site producer for and


  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

  • Microsoft Suggests Disabling Old Protocols with Exchange Server 2019

    Exchange Server 2019 with Cumulative Update 2 (CU2) can help organizations rid themselves of old authentication protocols, which constitute a potential security risk.

  • Microsoft Previews New Edge Browser on Windows 7 and Windows 8.1

    Microsoft announced this week that it has released previews of its Chromium-based Microsoft Edge Web browsers for use on Windows 7, Windows 8 and Windows 8.1 systems.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.