Microsoft: Windows bug exploited by hackers tied to Russia

4 years ago

Microsoft has confirmed some Windows users were under attack earlier this month by a specialized hacking group.
The group, which was previously tied to Russia's best intelligence agency by other cybersecurity firms, were exploiting a bug recently discovered by Google, Microsoft said.
Google revealed on Monday a critical bug in Microsoft Windows software that could give hackers full control of your computer. Microsoft has since announced plans to release a fix on Tuesday, November 8.
Google's security team said it first discovered "zero day" bugs in Adobe (ADBE) and Microsoft (MSFT, Tech30) software on October 21. "Zero day" is the term for unique, never-before-seen vulnerabilities that are dangerous because they're live.
Adobe addressed the bug with an update to its Adobe Flash Player on October 26, five days after it was first notified by Google. Microsoft, however, had yet to issue a fix, so Google (GOOG) went public with the bug on Monday.
Microsoft contested the seriousness of the bug on Tuesday morning, saying Adobe's fix is sufficient.
"We disagree with Google's characterization ... as 'critical' and 'particularly serious,' since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week," according to a Microsoft statement sent to CNNMoney.

But some experts believe the bug could still be exploited while users wait for a Microsoft update.
"The bug could be used as part of a larger attack to take control of the entire system," security researcher Katie Moussouris, CEO of Luta Security, told CNNMoney.
Microsoft has criticized Google's public reporting of the bug.
"Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk," reads a blog post from Terry Myerson, EVP of Microsoft's Windows and Devices Group.
Google's security team is set up to search for exploits quietly lurking on the internet. It typically recommends companies fix security issues within 60 days, but in 2013, it announced a more aggressive, expedited disclosure policy for urgent requests. That gave Microsoft just seven days to come up with a fix.
Microsoft said the bug was never effective in its Windows 10 Anniversary Update, which launched in August, due to security enhancements.
The company unveiled its next-generation Windows software, called Windows 10 Creator Update, less than a week ago.
For now, Microsoft users should ensure auto updates are turned on for Flash, Windows and Antivirus software. It's also recommended to run Google's Chrome browser, which prevents the bug from being exploited, according to Moussouris.

Related forums
Russian Court Confirms Arrest Warrants for 3 Finiko Founders – Bitcoin News
Forum

Russian Court Confirms Arrest Warrants for 3 Finiko Founders – Bitcoin News

1 day ago
Bank of Russia to ‘Slow Down’ Payments to Crypto Exchanges, Curb Russians’ Impulsive Investments – Regulation Bitcoin News
Forum

Bank of Russia to ‘Slow Down’ Payments to Crypto Exchanges, Curb Russians’ Impulsive Investments – Regulation Bitcoin News

2 days ago
Scammers Offer Free Bitcoin on Hacked Government Site in Russia as Crypto Fraud Surges – Bitcoin News
Forum

Scammers Offer Free Bitcoin on Hacked Government Site in Russia as Crypto Fraud Surges – Bitcoin News

2 weeks ago
Cream Finance Exploited for $25 Million in ETH and AMP
Forum

Cream Finance Exploited for $25 Million in ETH and AMP

3 weeks ago