Skip to main content

Microsoft releases patch for zero-day Flash and Windows Kernel exploit

women in artificial intelligence google data center header
Google
Microsoft released a patch on Tuesday to fix a zero-day Flash and Windows Kernel vulnerability recently outed by Google. Microsoft had stated previously a fix was being internally tested and would roll out to all relevant Windows platforms and it made good on its word.

Microsoft previously took the opportunity to chastise Google for releasing the breach data publicly before Microsoft was ready to release a patch.

At the end of October, Google, in accordance with its disclosure timeline for active vulnerabilities, publicly detailed a pair of nasty vulnerabilities in both Adobe’s Flash and Microsoft’s Windows platform. This came after a week of internal discussion with both companies, which saw the former issue a patch for their software and the latter not.

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” said Terry Myerson, executive vice president of Windows and Devices Group.

Google maintains however that it gave Microsoft plenty of time to respond to the news. Neel Mehta and Billy Leonard of Google’s Threat Analysis Group reports submitted a warning to both Adobe and Microsoft over zero-day vulnerabilities discovered in Adobe Flash and Windows. The report was provided to both companies on October 21 and Adobe immediately responded on October 26 with an update to Flash.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” they stated on Monday. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

This is a bug that Microsoft claims is now being actively exploited by a Russian hacking group, which it names as Strontium — though as BetaNews explains, it has gone by other names, too. This is a group previously cited as a Russian state actor, suggesting some sort of blessing from the country’s administration.

The attacks have involved targeted spear phishing against a subset of Windows users, though Microsoft did not detail who makes up that group, which doesn’t do much to comfort potentially affected users. It did however go out of its way to claim that Windows 10 users running Microsoft’s Edge browser were protected from it.

Although Microsoft didn’t state as such, customers who use the Chrome browser should not see a problem either, as its “sandbox” capability blocks calls to a core Windows component (win32k.sys) by taking advantage of a lockdown feature built into Windows. This prevents hackers from using the newly discovered vulnerability to escape the browser’s sandbox environment.

If you are not familiar with what sandboxing does, just imagine a virtual box that keeps all running code related to the internet contained as a separate entity in the browser, preventing code, malicious or not, from spilling over into the Windows environment and executing separately. But with the new vulnerability, hackers could create internet-based malware that could slip through the container’s cracks and install on a targeted PC.

Thus, Windows customers not using Google Chrome could be subject to an attack when surfing the internet with another browser.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said in a statement of its own. Now that the fix has been released, users are strongly recommended to upgrade as soon as possible to avoid being subject to a hack attack.

Adobe warned about CVE-2016-7855 last week, stating that the vulnerability enables hackers to run malicious code on a target PC using a Flash file. In turn, this code can install various threats in the PC’s system that eventually can grant the hacker full control. The problem was listed as critical and was accompanied by a patch bringing Flash Player up to version 232.0.0.205 for Windows/Mac/Chrome OS, and up to version 11.2.202.643 for Linux.

According to Adobe, the targeted attacks are limited and focus on machines running Windows 7, Windows 8.1, and Windows 10. So far, there are no signs that hackers are targeting Linux machines as well, but Adobe released a patch for those users nonetheless.

Web surfers not sure about what version of Flash Player they are using can check the version number by heading here to allow Adobe’s website to scan the locally installed software. Users can also right-click on a webpage’s (many) Flash component(s) and select “About Adobe (or Macromedia) Flash Player” from the menu. Users should do this for every browser installed on the PC.

Updated on 11-08-2016 by Mark Coppock: Added note that the exploit has been fixed in the November 8 patch.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs
Windows 10 Surface Pro 4 stock photo

There were already a number of reasons to not use Internet Explorer. But if you needed another one, here it is.

According to ZDNet, a security researcher named John Page has published evidence of an Internet Explorer zero-day exploit that renders Windows PCs vulnerable to having their files stolen by hackers.

Read more
Microsoft continues open-source effort, releases Windows Calculator code
Windows Insider

In the past, Microsoft's relationship with the open-source community had been on murky waters, but another recent announcement by the company shows that it is dedicated to changing that perception. In 2018, Microsoft released more than 60,000 patents into the Open Invention Network, a group that is designed to protect Linux from any possible patent lawsuits. Now, the source code to Windows Calculator is also making its way into the hands of interested individuals.

On GitHub, Microsoft made the complete code of its Windows Calculator program available to the community. While the decision may at first seem only beneficial to developers who wish to utilize the code with their work, Microsoft hopes to see new features or ideas emerge from the move as developers create and experiment with it. The Windows Calculator isn't the only Microsoft program to find its way into the open-source community either -- also in 2018, the company made their Windows 3.0 File Manager code available. Additionally, as developers play with Microsoft's Windows Calculator code, they may discover bugs or other design flaws that can then be reported to the company and fixed.

Read more
Miss Windows 7? Here’s how it would look if Microsoft released it today
windows 7 2018 concept windows7concept01

Windows 7 — 2018 Edition (Concept)

While the latest version of Windows 10 may be your best bet for a modern, secure, and fast Windows experience today, that doesn't mean we don't occasionally miss its older versions. They had a certain charm and simplicity about them which isn't necessarily present in Windows 10. What if it was though? That's the question that YouTuber Avdan sought to answer with this Windows 7 2018 concept video.

Read more