A previously unknown "zero-day" flaw in Windows is being exploited by hackers, but Microsoft will not fix it until mid next month. The vulnerability affects Windows 7 through Windows 10.
So say researchers at Google's Project Zero. They also revealed that the Windows exploit is just the second phase of a one-two punch that remote attackers are using to take over PCs. The first stage is the Chrome flaw that was released (and patched) last week.
"As of now, we expect a patch for this (Microsoft) issue to be available on November 10, or the next Microsoft Patch Tuesday," tweeted Ben Hawkes, Project Zero's technical lead.
"We confirmed with Shane Huntley (@ShaneHuntley), director of Google's threat analysis group, that this is a targeted attack and not related to any U.S. election-related targets.
The Windows exploit requires local access, i.e., access by a person or software that already has access to the machine, so it is not a very imminent threat per se.
The Chrome flaw, however, is more serious because it can be exploited remotely. Malicious email attachments or websites can use the Chrome flaw to escape the browser's "sandbox" and use the Windows flaw to hijack a machine.
The exploit confuses the numeric input of the encryption driver, forcing the attacker to overwrite a portion of the memory sector and execute its own code; Mateusz Jurczyk and Sergei Glazunov of Project Zero wrote on Project Zero's official blog proof-of-concept code that causes a system crash, but it seems that more nefarious results are possible.
Tom's Guide asked about this, and Microsoft responded as follows.
"Microsoft has a customer commitment to investigate reported security issues and update affected devices to protect our customers. While we strive to meet all researchers' release deadlines, including short-term deadlines like this scenario, the development of security updates is a balance between timeliness and quality, and our ultimate goal is to help ensure maximum customer protection while minimizing customer disruption We are committed to doing so."
.
Until Microsoft releases a patch, the best way to protect yourself from this Windows flaw is, ironically, to update your Chrome, Edge, Brave, Opera, Vivaldi, and other Chromium-based browsers to the latest versions This is the best way to protect yourself.
In Chrome and many other browsers, one must click on the settings icon in the upper right corner of the browser window.
Once you find the version information, click on it and a new tab will open that will automatically check for updates. If there is an update, the browser will download the update and prompt you to restart.
The latest version of Brave and Chrome is 86.0.4240.111; the latest version of Edge is 86.0.622.58. (The latter includes a security fix for Chromium from Microsoft's Security Advisory.)
We also recommend using the best anti-virus software available. To date, these two flaws have been used in targeted attacks against specific individuals and organizations, presumably by state attackers and well-funded criminal groups.
But now that the secret is out, malware operators may incorporate this Windows exploit into their own modus operandi. If malware can be infiltrated into a machine by other means, there is no need to use the Chrome exploit.
So why would Google expose a vulnerability that will probably not be fixed until Patch Tuesday in November and demonstrate the exploit? It is all part of Google's strict policy regarding actively exploited flaws.
"We have evidence that the following bug is being used in the wild," the disclaimer reads at the top and bottom of Project Zero's post.
"As such, this bug is subject to a 7-day public disclosure deadline.In other words, Google suggests that Microsoft was informed of this flaw in October. 22, the same day the Project Zero blog post was created. (The blog post was kept private until noon Eastern time today, October 30.)
Google's reasoning is that now that seven days have passed, the world should know so that Windows users can properly protect themselves.
Such transparency is not necessarily good for a company whose dirty laundry is out in the open. Microsoft has filed complaints before, most notably in 2015, when Google disclosed a vulnerability in Windows two days before it was patched.
Last year, Apple accused Google of detailing a half-dozen flaws in iOS that Chinese authorities had used over the years to spy on minority iPhones. Google waited six months after Apple fixed them before going public.
.
Comments