As promised, Microsoft today patched Windows to resolve a critical system vulnerability that Google’s security team publicized last Monday. The search giant controversially chose to acknowledge the bug before Microsoft had fixed it, claiming that hackers were already actively targeting it. As noted by ZDNet, the fix is contained in today’s release of monthly security patches.
According to Microsoft’s security bulletin, any attacker who tricked a user into running a “specially-crafted application” could successfully exploit the vulnerability and gain the ability to “install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft believes that Strontium, a Russia-linked group, is responsible for launching “low-volume spear phishing attacks” that took advantage of the flaw, which leveraged vulnerabilities in Adobe Flash and the Windows kernel. Even before today’s monthly patch release, Microsoft said the attack could be detected by enabling Windows Defender Advanced Threat Protection. (And people using Microsoft Edge as of the Windows 10 Anniversary Update were apparently protected.)
Still, Windows VP Terry Myerson voiced displeasure with Google’s quick public callout of the problem. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he wrote in a blog post last week.
To be certain you’re in the clear, ensure that your Windows PC is updated with all of Microsoft’s latest security patches as of today.