Microsoft releases patch for zero-day Flash and Windows Kernel exploit

women in artificial intelligence google data center header
Google
Microsoft released a patch on Tuesday to fix a zero-day Flash and Windows Kernel vulnerability recently outed by Google. Microsoft had stated previously a fix was being internally tested and would roll out to all relevant Windows platforms and it made good on its word.

Microsoft previously took the opportunity to chastise Google for releasing the breach data publicly before Microsoft was ready to release a patch.

At the end of October, Google, in accordance with its disclosure timeline for active vulnerabilities, publicly detailed a pair of nasty vulnerabilities in both Adobe’s Flash and Microsoft’s Windows platform. This came after a week of internal discussion with both companies, which saw the former issue a patch for their software and the latter not.

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” said Terry Myerson, executive vice president of Windows and Devices Group.

Google maintains however that it gave Microsoft plenty of time to respond to the news. Neel Mehta and Billy Leonard of Google’s Threat Analysis Group reports submitted a warning to both Adobe and Microsoft over zero-day vulnerabilities discovered in Adobe Flash and Windows. The report was provided to both companies on October 21 and Adobe immediately responded on October 26 with an update to Flash.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” they stated on Monday. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

This is a bug that Microsoft claims is now being actively exploited by a Russian hacking group, which it names as Strontium — though as BetaNews explains, it has gone by other names, too. This is a group previously cited as a Russian state actor, suggesting some sort of blessing from the country’s administration.

The attacks have involved targeted spear phishing against a subset of Windows users, though Microsoft did not detail who makes up that group, which doesn’t do much to comfort potentially affected users. It did however go out of its way to claim that Windows 10 users running Microsoft’s Edge browser were protected from it.

Although Microsoft didn’t state as such, customers who use the Chrome browser should not see a problem either, as its “sandbox” capability blocks calls to a core Windows component (win32k.sys) by taking advantage of a lockdown feature built into Windows. This prevents hackers from using the newly discovered vulnerability to escape the browser’s sandbox environment.

If you are not familiar with what sandboxing does, just imagine a virtual box that keeps all running code related to the internet contained as a separate entity in the browser, preventing code, malicious or not, from spilling over into the Windows environment and executing separately. But with the new vulnerability, hackers could create internet-based malware that could slip through the container’s cracks and install on a targeted PC.

Thus, Windows customers not using Google Chrome could be subject to an attack when surfing the internet with another browser.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said in a statement of its own. Now that the fix has been released, users are strongly recommended to upgrade as soon as possible to avoid being subject to a hack attack.

Adobe warned about CVE-2016-7855 last week, stating that the vulnerability enables hackers to run malicious code on a target PC using a Flash file. In turn, this code can install various threats in the PC’s system that eventually can grant the hacker full control. The problem was listed as critical and was accompanied by a patch bringing Flash Player up to version 232.0.0.205 for Windows/Mac/Chrome OS, and up to version 11.2.202.643 for Linux.

According to Adobe, the targeted attacks are limited and focus on machines running Windows 7, Windows 8.1, and Windows 10. So far, there are no signs that hackers are targeting Linux machines as well, but Adobe released a patch for those users nonetheless.

Web surfers not sure about what version of Flash Player they are using can check the version number by heading here to allow Adobe’s website to scan the locally installed software. Users can also right-click on a webpage’s (many) Flash component(s) and select “About Adobe (or Macromedia) Flash Player” from the menu. Users should do this for every browser installed on the PC.

Updated on 11-08-2016 by Mark Coppock: Added note that the exploit has been fixed in the November 8 patch.

Gaming

These are the must-have games that every Xbox One owner needs

More than four years into its life span, Microsoft's latest console is finally coming into its own. From Cuphead to Halo 5, the best Xbox One games offer something for players of every type.
Gaming

How do the revised Xbox One and PlayStation 4 consoles stack up?

Microsoft's new Xbox One S and Sony's PlayStation 4 "Slim" have bucked the generational gaming console trend. But which of these stopgap systems is worth spending your paycheck on?
Computing

Tired of paying a monthly fee for Word? The best Microsoft Office alternatives

Looking for a competent word processor that isn't Microsoft Word? Thankfully, the best alternatives to Microsoft Office offer robust features, expansive compatibility, and an all-too-familiar aesthetic. Here are our favorites.
Computing

Windows 7 is still immensely popular. Is it really better than Windows 10?

With the end of support of Windows 7 approaching, have you been holding off on upgrading to Windows 10? In this guide, we give look at some of the biggest differences between the most popular operating systems.
Computing

These Windows 10 keyboard shortcuts will take your skills to a new level

Windows 10 has many new features, and they come flanked with useful new keyboard shortcuts. Check out some of the new Windows 10 keyboard shortcuts to improve your user experience and save more time!
Computing

What is Wi-Fi 6? Here's a look at the next evolution of the wireless standard

We're exploring the new naming convention for wireless standards, how it affects the devices you buy, and what the upcoming Wi-Fi generation is changing for the better.
Computing

Windows is getting a face-lift in 2020, but you can get a sneak peek right now

Microsoft is increasing the lead time for an upcoming major update to Windows 10, giving Windows Insiders the ability to test it right now, even though it's not set for release until 2020.
Emerging Tech

A.I.-powered website creates freakishly lifelike faces of people who don’t exist

No, this isn't a picture of a missing person. It's a face generated by a new artificial intelligence on the website ThisPersonDoesNotExist.com. Here's how the impressive A.I. works.
Deals

The best Presidents’ Day sales 2019: Amazon, Walmart, Dell, and more

Presidents' Day sales are a great chance to score electronics, clothing, home and office stuff, and other goodies at a discount. We’ve smoked out a large handful of the best of these Presidents' Day deals, from tech to bedding, to help…
Deals

Keep your MacBook safe and dry with an Under Armour backpack for under $50

Under Armour is having a huge sale this weekend to help you on your quest for a better backpack. The UA Outlet Exclusive sale is going on now through Monday, February 18th, offering great discounts on stormproof backpacks.
Deals

Walmart Presidents’ Day sale: Instant Pot, Google Home, and 4K TV deals

Presidents' Day weekend is one of the best times of the year to find deep discounts on 4K TVs, laptops, Instant Pots, clothes, mattresses, and furniture. And Walmart is offering deals on all of those things and more.
Computing

The HoloLens 2 will be announced at MWC. Here's what we know about it so far

The HoloLens 2 is ripe for an announcement. Here's what Microsoft has revealed so far, what's likely in store for the next generation HoloLens, and everything that we know about this mixed reality headset.
Computing

Don't know what to do with all your old DVDs? Here's how to convert them to MP4

Given today's rapid technological advancements, physical discs are quickly becoming a thing of the past. Check out our guide on how to convert a DVD to MP4, so you can ditch discs for digital files.
Computing

Wi-Fi helps connect all of our devices at high-speed, but what exactly is it?

What is Wi-Fi? It's a technology we all use everyday to connect all of our portable devices, but understanding how it works and how far it's come from its humble beginnings is another thing entirely.