14 DAY TRIAL // Microsoft rolled out this month’s Patch Tuesday fixes only a few hours ago, including an update that addresses the Windows security flaw that search giant Google made public last week.
Google discovered an unpatched vulnerability in Windows, and after notifying Microsoft, it decided to make it public, adding that exploits were already spotted in the wild. Google’s security effort has a policy that gives companies 7 days to fix found security flaws, and in the case of Microsoft, the public disclosure was made after 10 days.
Microsoft blamed Google for posting details online, explaining that with this decision the company made Windows users vulnerable to attacks, and promised to release a fix on Patch Tuesday.
Today, this fix is finally available in the form of MS16-135, an update that, oddly enough, is labeled as important, even though Microsoft itself confirmed that there were attacks launched against this vulnerability.
“This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system,” Microsoft says in the description of the update that’s flagged as a “security update for Windows kernel-mode drivers.”
Fancy Bear attacks
Microsoft previously said that a Russian hacker group called Strontium, also known as Fancy Bear, attempted to exploit the security flaw, revealing that it recorded low-volume spear phishing attacks specifically aimed at taking advantage of unpatched systems. The firm recommended users to switch to Microsoft Edge, which was already secure against the flaw.
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Microsoft’s Terry Myerson said last week.
Users are recommended to prioritize deployment of this update even if it’s labeled as important, and Microsoft explains that a system reboot is required to complete the install.