Microsoft is "disappointed" by Google disclosure of critical Windows vulnerability

Google disclosed a critical vulnerability in Adobe Flash Player and Windows that allowed malicious attackers to gain control of a system by escaping the browser sandbox. Google has a policy of disclosing critical zero day vulnerabilities if the affected companies do not issue an advisory or path the vulnerability within seven days of Google privately reporting its discoveries to the affected parties. The vulnerability was publicly disclosed by the Google Threat Analysis Group. The Microsoft Malware Protection Center has responded with a post on the Threat Research & Response Blog, outlining the specifics of the vulnerability. The attacker sends a spoofed email to the target. The email exploits the adobe flash player to gain control of the browser. The privileges are escalated at this time for the malware to escape the browser sandbox. Finally, a backdoor is installed on the system of the target, that allows the hackers to remotely control the machine, and execute further attacks through the compromised computer. “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.” Terry Myerson, Executive Vice President, Windows and Devices Group noted in the blog post. The exploit was apparently used by a government sponsored hacking group known as Strontium. Strontium has used the most zero day vulnerabilities among all the threats that Microsoft has tracked over time. These are highly targeted attacks against government agencies, diplomatic institutions, the military, and private defence contractors. Strontium is known to have exploited the vulnerability in a spear phishing campaign. This kind of attack compromises targets by sending emails that appear to be from known sources. Strontium is known to doggedly stay on a target for months, persistently spreading from one compromised system to another. Microsoft promised a security patch by November 8. The latest version of Windows 10 is not affected by the vulnerability. Microsoft is working with Adobe to path the previous versions. All versions from Windows Vista onward, except Windows 10 are affected by this zero day exploit. Microsoft recommends users switch to the latest operating system for the most secure usage experience.