Fancy Bear, the hacking group believed to be behind some of the email dumps in the ongoing Hillary Clinton saga, have been using a newly discovered Windows zero-day vulnerability. According to Microsoft (in a public announcement it made on Tuesday) it will be looking to shore up the recently discovered security flaw as quickly as possible. In fact, Microsoft believes it will be able to issue an update for the zero-day as part of its scheduled patch cycle on 8 November 2016.
Google Discovers Windows Zero-day
According to the press release, Fancy Bear (who are believed to work for the Russian government) have been using a flaw in Windows32K system to bypass security. The flaw was first announced by Google on Monday in a security blog, a move which is said to have infuriated Microsoft. In the blog post, Google said:
“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities.
“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
Google then goes on to explain the details of the zero-day flaw in Microsoft’s system:
“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”
Microsoft has been quick to criticize Google’s public disclosure of the previously unknown vulnerability before it had a chance to issue a fix:
“Today’s disclosure by Google puts customers at potential risk. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.
“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Despite Microsoft’s irritation, it is believed that the information published by Google is more likely to be useful for diagnosing a possible penetration, rather than for inspiring further cyber attacks.
According to security experts, the information disclosed by Google is perfect for diagnosing a potential breach but does not give enough information away to be easily exploited by would-be hackers. Despite this claim, however, it is obvious that any information in the public domain about an ongoing critical vulnerability is not great for Microsoft.
Yesterday, a post from Microsoft’s Executive VP Terry Myerson explained the link between the vulnerability and Russian ‘Strontium’ or ‘Fancy Bear’ (as the hackers are also known). According to the press release, evidence shows those hackers used email-based ‘spear phishing’ attacks to take advantage of the Windows zero-day. In addition, the post informs consumers that Windows 10 users browsing with Edge are not vulnerable to the security flaw. Google has already issued a fix for anybody using Chrome.
Furthermore, anybody worried about being exploited by the Windows zero-day should update their Adobe Flash Player. That is because according to Microsoft (and Google) a bug in Adobe Flash Player (CVE-2016-7855) is required to exploit the Windows vulnerability. As such, updating the Flash Player application should help to shore up any vulnerable systems.
Google’s Hardcore Disclosure Policy
This is the first time that Google’s 2013 policy (for disclosing flaws and vulnerabilities to the public after just seven days of informing the relevant company) has caused a backlash from a firm. Three years ago, when Google first announced its new policy, the company was criticized by security experts. Those security analysts commented that seven days was not enough time to issue a fix for a severe or complicated vulnerability.
Although Google hasn’t made a public statement since it issued the announcement on Monday, it is believed that Google stands by its decision to announce what it considers to be ‘critical flaws’ after just seven days. Google actually gives a longer period of 60 days to firms that are found to have a ‘non-critical’ security flaw.
In a blog post about its policy, Google says the following:
“We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution. Over the years, we’ve reported dozens of actively exploited zero-day vulnerabilities to affected vendors.”
News of the security flaw and its link to the DNC hacks comes just a week after the US government officially pointed the finger at the Russian Government for the hacks of the Democratic Party’s servers. According to US security experts working for the government, Fancy Bear has been linked to GRU, Russia’s military intelligence agency. That claim is still denied by Putin and his government, who claims they have no interest in influencing the ongoing US elections.
New Evidence of Clinton Corruption?
In separate (but related news), Anonymous Poland yesterday announced a new hack, this time of the Bradley Foundation. That Rothschild-owned foundation has close ties to the Clinton Foundation and preliminary reports of the 30gb leak claim that there is evidence of a $150 million campaign donation to Hillary Clinton.
For now, the severity of the contents of the hack is still unknown. According to some people, however, the alleged contribution to the Clinton campaign could show signs of money laundering. For now those allegations remain unconfirmed, but with the US elections so close – and the FBI’s James Comey having recently announced the reopening of the Clinton email case – it certainly would appear to be more fuel for the fire.