By Gregg Keizer
Nov. 9, 2016
Microsoft today patched a Windows vulnerability that was disclosed just over a week ago by researchers from Alphabet Inc.'s Google.
In one of several security updates -- 14 to be exact -- Microsoft fixed the bug in the Windows kernel drivers that Google security engineers had revealed on Oct. 31, 10 days after notifying Microsoft of the vulnerability.
Microsoft credited Neel Mehta and Billy Leonard of Google's Threat Analysis Group for reporting the flaw. Last week, the two said that because the vulnerability was being actively exploited, a disclose-within-seven-days policy applied.
Microsoft's top Windows executive, Terry Myerson, castigated Google for the move. "Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk," Myerson wrote in a Nov. 1 post.
Myerson claimed that the attacks in circulation were being conducted by a Russian group that previously was linked to a hack of the Democratic National Committee (DNC). The gang, which Microsoft dubbed Strontium, has been responsible since at least 2007 for very targeted attacks against governments, militaries and diplomats around the globe.
Also last week, Microsoft asserted that, while the latest Windows 10 upgrade -- the summer's Anniversary Update -- contained the flaw, an anti-exploit defense had been added to that edition prior to the attacks coming to light. "These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit," Myerson said.
Today, Microsoft patched the kernel drivers bug in Windows 10, as well as in Vista, Windows 7 and Windows 8.1.