Microsoft to patch Windows bug that Google revealed

Microsoft on Tuesday said it would patch a Windows vulnerability next week that Google publicly revealed just 10 days after notifying Microsoft.

Microsoft also identified the attackers, asserting that they were the same who had been accused by authorities of hacking the Democratic National Committee (DNC).

“All versions of Windows are now being tested … and we plan to release [the patches] publicly on the next Update Tuesday, Nov. 8,” wrote Terry Myerson, the head of the Windows and devices group, in a post to a company blog.

Myerson also took a swing at Alphabet Inc.’s Google for disclosing the Windows vulnerability. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” he said. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”

Google went public with the flaw — an elevation of privilege bug in the Windows kernel — on Monday, saying in a post of its own that it had notified Microsoft on Oct. 21. Because attackers were actively exploiting the vulnerability, Google argued that its 2013 disclosure-within-seven-days policy applied.

Also on Oct. 21, Google told Adobe of a vulnerability in Flash Player; attackers have used a multi-exploit package that included hacks of both Flash and Windows to hijack PCs. Adobe patched the Flash flaw on Oct. 26.

Microsoft had used that fact earlier Tuesday to criticize Google for calling the Windows vulnerability “particularly serious,” saying that users were able to deflect the ongoing attacks by updating Adobe’s Flash Player.

Google and Microsoft have butted heads numerous times over vulnerability disclosures after researchers working for the former have revealed flaws before the latter was able to issue patches. In early 2015, for example, Microsoft complained that Google had disclosed a Windows flaw just days before it was to be patched. “[Google’s] decision feels less like principles and more like a ‘gotcha,’ with customers the ones who may suffer as a result,” said Chris Betz, at the time a senior director of the Microsoft Security Response Center (MSRC). Microsoft has since dismantled the center.

The tension over bug disclosure harked back to 2010, when Google security engineer Tavis Ormandy went public with a critical Windows vulnerability just five days after notifying Microsoft.

On Tuesday, Myerson also confirmed that the hacker group using the Windows and Flash flaws was Strontium, Microsoft’s name for a gang that other security professionals have tagged as APT28 and Fancy Bear. The group has been charged with hacking the DNC this year, and since at least 2007 targeting governments, militaries and diplomats around the world. U.S. authorities last month charged the Russian government with ultimate responsibility for the DNC hack, saying that senior Russian officials were behind that attack.

Microsoft described the latest Strontium attacks, but did not link them or the group to the DNC hack.

“Microsoft has attributed more [zero]-day exploits to Strontium than any other tracked group in 2016,” Myerson wrote. “Strontium frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.”

Myerson also used the attack to again pitch Windows 10, repeating the claim that the new operating system is “the most secure … we’ve ever built.”