Microsoft: Windows bug exploited by hackers tied to Russia

File photo
File photo

(CNNMoney) — Microsoft has confirmed some Windows users were under attack earlier this month by a specialized hacking group.

The group, which was previously tied to Russia’s best intelligence agency by other cybersecurity firms, were exploiting a bug recently discovered by Google, Microsoft said.

Google revealed on Monday a critical bug in Microsoft Windows software that could give hackers full control of your computer. Microsoft has since announced plans to release a fix on Tuesday, November 8.

Google’s security team said it first discovered “zero day” bugs in Adobe and Microsoft software on October 21. “Zero day” is the term for unique, never-before-seen vulnerabilities that are dangerous because they’re live.

Adobe addressed the bug with an update to its Adobe Flash Player on October 26, five days after it was first notified by Google. Microsoft, however, had yet to issue a fix, so Google went public with the bug on Monday.

Microsoft contested the seriousness of the bug on Tuesday morning, saying Adobe’s fix is sufficient.

“We disagree with Google’s characterization … as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” according to a Microsoft statement sent to CNNMoney.

But some experts believe the bug could still be exploited while users wait for a Microsoft update.

“The bug could be used as part of a larger attack to take control of the entire system,” security researcher Katie Moussouris, CEO of Luta Security, told CNNMoney.

Microsoft has criticized Google’s public reporting of the bug.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” reads a blog post from Terry Myerson, EVP of Microsoft’s Windows and Devices Group.

Google’s security team is set up to search for exploits quietly lurking on the internet. It typically recommends companies fix security issues within 60 days, but in 2013, it announced a more aggressive, expedited disclosure policy for urgent requests. That gave Microsoft just seven days to come up with a fix.

Microsoft said the bug was never effective in its Windows 10 Anniversary Update, which launched in August, due to security enhancements.

The company unveiled its next-generation Windows software, called Windows 10 Creator Update, less than a week ago.

For now, Microsoft users should ensure auto updates are turned on for Flash, Windows and Antivirus software. It’s also recommended to run Google’s Chrome browser, which prevents the bug from being exploited, according to Moussouris.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s