A previously unknown Windows” zero-day” flaw is being exploited by hackers, but Microsoft won’t likely be fixing it until the middle of next month. The vulnerability affects Windows 7 via Windows 10.
So say the researchers at Google’s Project Zero, who also disclosed that the Windows exploit is just the next step in a one-two punch being used by remote attackers to take over PCs. The very first step is a Chrome defect that was revealed (and patched) past week.
“Currently we expect a patch for this [Microsoft] issue to be accessible on November 10,” or another Microsoft Patch Tuesday, tweeted Project Zero technical lead, Ben Hawkes. “We’ve confirmed with the Manager of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), this can be targeted manipulation and this isn’t related to some US election-related targeting.”
Presently we anticipate a patch for this issue to be accessible on November 10. We’ve confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), this can be targeted exploitation and this isn’t associated with some US election-related targeting.
The Windows harness requires local accessibility, i.e. by someone or software who already has access to the machine, therefore by itself, it is not such immediate danger.
However, the Chrome defect it was combined with is remotely exploitable, making things much worse. A malicious email attachment or site could use the Chrome flaw to escape the browser”sandbox” and use the Windows flaw to take over the device.
The exploit messes with the numerical input signal in a cryptography driver, allowing the attacker to overwrite a few memory businesses and operate their own code. Project Zero’s Mateusz Jurczyk and Sergei Glazunov submitted proof-of-concept code that could cause a system crash on the official Project Zero blog, but it appears that more nefarious results are possible.
Asked about this by Tom’s Guide, Microsoft responded with the next announcement.
“Microsoft has a customer devotion to research reported security problems and upgrade impacted devices to protect customers. While we work to fulfil all of the investigators’ deadlines for disclosures, for example, short-term deadlines such as in this situation, creating a security upgrade is a balance between timeliness and quality, and our ultimate objective is to help guarantee maximum client protection with minimal customer disruption.”
The Way to protect yourself from this Windows zero-day
Until Microsoft releases a patch, the best way to protect yourself from this Windows flaw would be, paradoxically, to upgrade Chrome, Edge, Brave, Opera, Vivaldi and other Chromium-based browsers to the latest version.
In Chrome and many other browsers, you just need to click on the Settings icon in the very top of this browser window — it will look like three traces or 3 dots — then scroll down to About or Help.
Once you find About, click that, and a new tab will open up that will automatically check for an upgrade. If a person is available, the browser will automatically download the update and prompt you to restart.
The newest version of Brave and Chrome is 86.0.4240.111. In Edge, it is 86.0.622.58. (The latter includes the Chromium safety fix, a Microsoft security advisory.)
You will also need to be running some of the best antivirus programs. Until today, these two flaws have been used in targeted strikes against selected people or associations, presumably from nation-state attackers or well-funded criminal classes.
However, now that the secret is out, it’s possible that malware operators could integrate these Windows tap into their own bags of tricks. If they can get the malware on your machine by other means, they won’t have to use the Chrome exploit.
Are seven days actually enough to correct a flaw?
So why has Google disclosed, and demonstrated an exploit, a vulnerability which likely won’t be fixed until November’s Patch Tuesday? It’s all part of Google’s stringent policy regarding actively exploited defects.
“Therefore, this insect is subject to a 7-day disclosure deadline”
In other words, Google implies that Microsoft was advised of this flaw on Oct. 22, the same day the Project Zero blog article has been reprinted. (The blog article was kept private until noon Eastern time today, Oct. 30.)
Now that the seven days are up, Google’s reasoning goes, the entire world should know so that Windows users may appropriately protect themselves.
Such transparency does not always sit well with the firms whose dirty laundry is revealed. Microsoft has whined, most notably in 2015 when Google disclosed Windows vulnerabilities two days before they were expected to be patched.
Last year, Apple lashed out in Google for detailing half a dozen flaw in iOS which was used for decades by Chinese governments to spy on the iPhones of ethnic minorities. Never mind that Google had waited until after Apple mended matters to go public.