Microsoft on Tuesday warned that a group of hackers linked to attacks on the Democratic National Committee had exploited a vulnerability in all Windows PCs that it would not be able to fully mend for another week.
The flaw was disclosed publicly on Monday by Google, provoking a sharp rebuke from Microsoft about the dangers of revealing flaws such as this before fixes are available.
Microsoft said the software flaw had been used by a group it calls Strontium, and which is known more widely as Fancy Bear. The group, which has been operating for nearly a decade, has been linked by security researchers to the Russian military and has been tied to a number of attacks on government, military and corporate systems. These include an assault on the DNC this year that is believed to have led to subsequent email leaks that have embarrassed the Democratic party in the run-up to the presidential election.
The flaw was uncovered by two security researchers at Google and notified to Microsoft on October 21. On Monday, when the software company had still not released a “patch” to repair its Windows operating system from attack, Google publicly announced the vulnerability.
Terry Myerson, head of the Windows business, hit out at Google on Tuesday, suggesting the internet company had not shown “responsible technology industry participation”. Disclosing a so-called “zero-day” exploit before it has been repaired alerts other hackers to the flaw and can lead to more attacks on Windows PCs.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Mr Myerson wrote in a blog post.
Google defended its actions on Monday, saying it always published details of “critical vulnerabilities” seven days after it warns other software companies about them so that computer users will be aware of the danger.
It said it had also warned Adobe about a flaw in its own Flash software which, used together with the Windows vulnerability, had enabled hackers to exploit machines. Adobe released a patch for its own product last Wednesday, less than a week after being warned about it.
The hacking group identified by Microsoft as having exploited the flaw is known for using spear phishing, or highly targeted emails, to trick users into inadvertently downloading software that then attacks their machines.
In this case, Microsoft said, the code planted by the hackers first exploited Adobe’s Flash to take control of a user’s browser, then elevated its own privileges in the software so that it could escape the limitations normally put on web programs. From there, the hackers were able to install a backdoor giving them access to the machines that had been infected.
Anyone using Microsoft’s new Edge browser, which is included in Windows 10, should be protected, the company said. But other versions of Windows will be exposed until at least November 8, the date when Microsoft said it planned to release a patch to solve the problem.
Get alerts on Microsoft Corp when a new story is published