Russian hackers have been actively exploiting two zero-day vulnerabilities prior to Google’s announcement of the flaws. Google’s Threat Analysis Group announced the flaws, including how they could be exploited, earlier this week.
Microsoft had been informed of a new zero-day vulnerability on October 21, although Google only waited 10 days before making the announcement and crucially, did before Microsoft had issued a patch.
While Google usually waits up to three months before making flaws public to give organizations time to develop a patch, in this case the decision was made to publish details of the flaws early as they were being actively exploited in the wild. In cases when flaws are actively being exploited, Google only provides vendors with 7 days to issue an advisory or patch the flaw.
According to Google, “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.” Google also announced that the vulnerability could be triggered with a win32k.sys system call.
Just a few days after Google’s announcement, Microsoft said the vulnerability is already being exploited using spear phishing campaigns. Russian hackers from the hacking group known as Fancy Bear / APT28 have been exploiting the flaw to gain elevation of privileges, which has allowed them to install backdoors in PCs giving them persistent access.
The two vulnerabilities discovered by Google researchers affected Windows and Adobe Flash. The Adobe flaw (CVE-2016-7855) affects Windows 7, 8.1 and 10 users and could potentially be used by hackers to gain full control of an affected system. The Adobe flaw was also being actively exploited in the wild. Adobe released an updated version of its Flash player within 5 days of being informed of the flaw by Google on October 21. However, the Windows vulnerability had not been addressed. A patch has been developed, but it will not be issued until patch Tuesday on November 8.
Google has been criticized for making the Microsoft Windows flaw public before Microsoft had issued a patch. While the flaw is being actively exploited by one hacking group, the announcement could see other hackers take advantage. According to Microsoft’s executive vice president of the Windows and Devices Group, “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”