Google’s Threat Analysis Group publically disclosed on Monday a critical zero-day vulnerability in most versions of Windows just 10 days after privately disclosed both zero days to Microsoft and Adobe.
While Adobe rushed an emergency patch for its Flash Player software on October 26, Microsoft had yet to release a fix.
Microsoft criticized Google’s move, saying that the public disclosure of the vulnerability — which is being exploited in the wild — before the company had time to prepare a fix, puts Windows users at "potential risk."
The result? Windows Vista through current versions of Windows 10 is still vulnerable, and now everybody knows about the critical vulnerability.
Now, Microsoft said that the company would be releasing a patch for the zero-day flaw on 8th November, as part of its regular round of monthly security updates.
Russian Hackers are actively exploiting critical Windows kernel bug
Microsoft acknowledged the vulnerability in a blog post on Tuesday, in which the company said that the Windows kernel bug was being actively exploited by a well-known sophisticated hacking group previously linked to the Russian government.
Terry Myerson, executive vice president of Microsoft’s Windows and Devices group, said the flaw was being exploited on a "low-volume scale" by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks.
Fancy Bear is the same hacking group which has also been accused by the United States Intelligence community of hacking the US Democratic National Committee, Clinton Campaign Chair John Podesta, and former Secretary of State Colin Powell, among others.
Myerson noted that Fancy Bear abusing the Google-reported flaw had been sending spear-phishing emails in order to trick recipients into clicking on malicious links or opening bogus attachments, which end them up installing malware on their machines or disclosing their personal information.
The vulnerability (CVE-2016-7855) is a local privilege escalation bug exists in the Windows operating system kernel, which can be exploited by malware to gain admin access on any Windows system.
Once exploited, the flaw can be used to escape the sandbox protection and execute malicious code on the compromised Windows machine.
Wait another Week for Windows zero-day patch
Microsoft encouraged its customers to upgrade to Windows 10, as the Edge browser on Windows 10 Anniversary Update is not affected by the Windows kernel flaw.
Microsoft engineers are working on a Windows patch, but in the meantime, there is little you can do in order to protect yourself from this attack observed in the wild.
"We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows," Myerson said. "Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8."
For now, you are advised to update Chrome and Adobe Flash, or remove it completely, and until Microsoft issues a fix, be careful what software you download, what websites you visit, and particularly what email links you click.
For more details about the critical vulnerability, you can head on to read Microsoft’s official blog post.