- Patch is part of monthly cumulative update for Windows
- Microsoft Edge users on Windows 10 Anniversary Update already covered
- Microsoft identified Strontium as group that were targeting users
Microsoft has issued a patch for the critical Windows 10 system vulnerability brought to light by Google last week, it said in its security bulletin announcement on Tuesday. The Redmond-based software giant had expressed its displeasure with the disclosure by the search giant, which had cited the bug’s active targeting as its reasoning for going public.
The fix is available as part of Windows’ monthly updates. Microsoft claimed the vulnerability did not affect anyone using Microsoft Edge on Windows 10 Anniversary Update, and any attacks could also be detected using Windows Defender Advanced Threat Protection. For everyone else, hackers who manage to successfully exploit the vulnerability “could then install programs; view, change, or delete data; or create new accounts with full user rights”.
After Google’s Threat Analysis Group reported their findings, Microsoft traced the activity to a hacker group it calls Strontium, which mostly dabbles in “low-volume spear-phishing”. According to Microsoft, Strontium has been linked with more zero-day exploits to their name than any other group in 2016. The group mostly targets government agencies, diplomatic institutions, and military organisations, along with defence contractors and public policy research institutes.
And owing to the risk involved, Microsoft’s Windows and Devices Group VP Terry Myerson believes coordinated vulnerability disclosure is better for customers. “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” he added.
Now that Microsoft has a patch out, you should check the updates section to ensure you’re in the clear. And if you’re yet to update Adobe Flash, get on that pronto.