Skip to main content

Microsoft releases patch for zero-day Flash and Windows Kernel exploit

women in artificial intelligence google data center header
Google
Microsoft released a patch on Tuesday to fix a zero-day Flash and Windows Kernel vulnerability recently outed by Google. Microsoft had stated previously a fix was being internally tested and would roll out to all relevant Windows platforms and it made good on its word.

Microsoft previously took the opportunity to chastise Google for releasing the breach data publicly before Microsoft was ready to release a patch.

Recommended Videos

At the end of October, Google, in accordance with its disclosure timeline for active vulnerabilities, publicly detailed a pair of nasty vulnerabilities in both Adobe’s Flash and Microsoft’s Windows platform. This came after a week of internal discussion with both companies, which saw the former issue a patch for their software and the latter not.

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” said Terry Myerson, executive vice president of Windows and Devices Group.

Google maintains however that it gave Microsoft plenty of time to respond to the news. Neel Mehta and Billy Leonard of Google’s Threat Analysis Group reports submitted a warning to both Adobe and Microsoft over zero-day vulnerabilities discovered in Adobe Flash and Windows. The report was provided to both companies on October 21 and Adobe immediately responded on October 26 with an update to Flash.

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape,” they stated on Monday. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

This is a bug that Microsoft claims is now being actively exploited by a Russian hacking group, which it names as Strontium — though as BetaNews explains, it has gone by other names, too. This is a group previously cited as a Russian state actor, suggesting some sort of blessing from the country’s administration.

The attacks have involved targeted spear phishing against a subset of Windows users, though Microsoft did not detail who makes up that group, which doesn’t do much to comfort potentially affected users. It did however go out of its way to claim that Windows 10 users running Microsoft’s Edge browser were protected from it.

Although Microsoft didn’t state as such, customers who use the Chrome browser should not see a problem either, as its “sandbox” capability blocks calls to a core Windows component (win32k.sys) by taking advantage of a lockdown feature built into Windows. This prevents hackers from using the newly discovered vulnerability to escape the browser’s sandbox environment.

If you are not familiar with what sandboxing does, just imagine a virtual box that keeps all running code related to the internet contained as a separate entity in the browser, preventing code, malicious or not, from spilling over into the Windows environment and executing separately. But with the new vulnerability, hackers could create internet-based malware that could slip through the container’s cracks and install on a targeted PC.

Thus, Windows customers not using Google Chrome could be subject to an attack when surfing the internet with another browser.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said in a statement of its own. Now that the fix has been released, users are strongly recommended to upgrade as soon as possible to avoid being subject to a hack attack.

Adobe warned about CVE-2016-7855 last week, stating that the vulnerability enables hackers to run malicious code on a target PC using a Flash file. In turn, this code can install various threats in the PC’s system that eventually can grant the hacker full control. The problem was listed as critical and was accompanied by a patch bringing Flash Player up to version 232.0.0.205 for Windows/Mac/Chrome OS, and up to version 11.2.202.643 for Linux.

According to Adobe, the targeted attacks are limited and focus on machines running Windows 7, Windows 8.1, and Windows 10. So far, there are no signs that hackers are targeting Linux machines as well, but Adobe released a patch for those users nonetheless.

Web surfers not sure about what version of Flash Player they are using can check the version number by heading here to allow Adobe’s website to scan the locally installed software. Users can also right-click on a webpage’s (many) Flash component(s) and select “About Adobe (or Macromedia) Flash Player” from the menu. Users should do this for every browser installed on the PC.

Updated on 11-08-2016 by Mark Coppock: Added note that the exploit has been fixed in the November 8 patch.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Microsoft will release a fix for major Windows vulnerability found by the NSA
A Microsoft Surface Book opened and being used.

You may want to update all your Microsoft-related software ASAP. The National Security Agency -- yes, the same NSA that Edward Snowden warned us about -- reportedly alerted Microsoft that there’s a major flaw in the Windows operating system, a flaw that Microsoft has not confirmed that it's directly addressed as of yet. Reportedly, it could affect the Windows 10 operating system, and the Windows Server 2016.

First reported by the Washington Post, Microsoft said in a statement to Digital Trends that it is “releasing this month’s update” at 10 a.m. PST on Tuesday, January 14, as part of a “regular Update Tuesday schedule.”

Read more
This Lenovo ThinkPad is almost $1,800 off today!
A press photo of the ThinkPad X1 Carbon Gen 11.

One of the best laptops for a busy computer-heavy workplace is the Lenovo ThinkPad. For years, this tried and true laptop and 2-in-1 has delivered a fast and reliable Windows experience to many a 9 to 5 go-getter. Processor speed and power evolve year over year, and new features are added to these laptops all the time. This also means you’ll be able to find discounts on older machines, which is precisely what we came across while scouring through Lenovo ThinkPad deals:

Right now, as part of Lenovo’s doorbuster sale, you’ll save $1,800 on the purchase of a brand-new Lenovo ThinkPad X1 Carbon Gen 11 when you order through Lenovo.

Read more
Runway brings precise camera controls to AI videos
Gen-3 alpha advanced camera controls

Content creators will have more control over the look and feel of their AI-generated videos thanks to a new feature set coming to Runway's Gen-3 Alpha model.

Advanced Camera Control is rolling out on Gen-3 Alpha Turbo starting today, the company announced via a post on X (formerly Twitter).

Read more