Microsoft fixes Windows security flaw under attack by hackers

The software giant said Russian hackers were behind a low-volume spearphishing campaign, which exploits a previously undisclosed security flaw in the operating system.
Written by Zack Whittaker, Contributor

(Image: file photo)

Microsoft has fixed a security flaw in Windows that was being actively exploited by hackers.

The software and services giant released the patch as part of its monthly round of security patches, known as Patch Tuesday.

In a security bulletin, the company said that the "important"-rated patch will fix multiple elevation of privilege vulnerabilities, which can be exploited because of how the Windows kernel-mode driver improperly handles objects in memory.

An attacker would have to trick the user into opening a specially-crafted application while the user was logged into the computer.

If exploited, that attacker would be able to run programs, delete data, and create new accounts with full user rights and "take control of an affected system," said the bulletin.

Details of the security vulnerable were first revealed on Monday by Google.

The search giant disclosed the flaw outside of its usual three-month private disclosure period, citing evidence that hackers were exploiting the flaw.

Microsoft confirmed the vulnerability in its own blog post.

Windows president Terry Myerson said that Russian hackers, known as Strontium carried out the low-volume spearphishing attack, designed to attack a particular target or organization.

But Myerson, angered by Google's decision to publicly disclose the flaw, said that Google put Windows users "at potential risk" as a result of the premature disclosure.

Myerson said that Windows 10 users running the latest Anniversary Update were not affected by the flaw.

Microsoft nevertheless acknowledged two Google researchers for finding the flaw.

The company also fixed six critical flaws -- including one that affects all versions of Windows, along with eight other important updates, including cumulative updates for Internet Explorer and its Edge browser.

November's patches will be available through the usual update channels.

Editorial standards