Microsoft patch for Google-outed exploit is still a week away

Unfortunately, the fix comes after attackers started using the flaw.

Reuters/Shannon Stapleton

Microsoft is still more than a little upset at Google revealing unpatched Windows security flaws, but it'll at least have a solution in hand in the days ahead. The software giant now plans to issue a patch for affected version of Windows on November 8th. You're in good shape if you use both Windows 10 Anniversary Update and a sufficiently up to date browser (both Chrome and Edge should be safe), but you'll definitely have to be cautious if you can't use one of the known safe browsers or the latest version of Windows.

There's good reason to be careful, too. In elaborating Google's warning about active exploits, Microsoft reports that a group nicknamed Strontium has used the vulnerabilities in both Windows and Adobe Flash to run a "low-volume" phishing campaign. You probably won't be targeted by that group, but that's not the point. The company is concerned that attacks are not only in the wild, but that other hacking teams may take advantage of the data to launch their own hostile code. A week can be a long time in the security world, after all. While there's a chance that Google's rapid-fire public disclosure accelerated the patch, it might well have exposed people to unnecessary danger.

Update: A Microsoft spokesperson sent over the following statement, disagreeing with Google's initial characterization of the flaw.


We disagree with Google's characterization of a local Elevation of Privilege as "critical" and "particularly serious," since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week. Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented.