Microsoft preparing to patch security flaw used in cyberattacks

Microsoft will issue a patch for a Windows security vulnerability being used by a Russian hacking group to breach systems next week, the company announced in a blog post. 

The group known as Fancy Bear — recently publicized for its role in the Democratic National Committee hacks — was using the Windows attack in conjunction with two Adobe Flash vulnerabilities which have already been patched. Users who keep software up to date are not thought to be currently at risk.

{mosads}The vulnerability exists in all versions of Windows dating back to Windows Vista. 

“[P]atches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov. 8,” said Terry Myerson, executive vice president of the Windows and Devices Group. 

Google publicly announced the Windows vulnerability on Monday without coordinating the announcement with Microsoft. Generally, researchers try to both notify a company that a vulnerability exists and work with the company to patch it before a public announcement that would alert hackers to the security soft spot.

At a minimum, most researchers give companies weeks or months of time to issue a patch before alerting the public. 

While Google notified Microsoft of the problem, it did not wait until Microsoft released a patch. Instead, it waited only 10 days to notify the public. Google said that since the attack is being actively used in the wild, the public needed an immediate warning. 

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” wrote Myerson. 

Fancy Bear, also called Sofacy and, in Microsoft’s internal parlance, Strontium, is widely believed to be a Russian intelligence operation.