A brewing security feud between Microsoft and Google has worsened as Microsoft said that Russian hackers had exploited a Windows security flaw revealed by Google.
Microsoft said in a blog post that the Russia-based Fancy Bear group, also known as Strontium, had conducted a low-volume phishing attack that exploited the flaw.
Google’s Threat Analysis Group identified zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel.
However, Google’s disclosure of this vulnerability before patches were broadly available angered Microsoft, with the latter calling it “disappointing” and saying it “puts customers at increased risk.”
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure,” wrote Terry Myerson, Executive Vice President, Windows and Devices Group.
However, Google said when disclosing the bug that it had informed Microsoft seven days before going public with the announcement.
It said that Adobe had promptly issued a fix, whereas Microsoft had not released any advisory or fix for the vulnerability.
“This vulnerability is particularly serious because we know it is being actively exploited,” said Neel Mehta and Billy Leonard, Threat Analysis Group at Google.
Microsoft will release patches for all versions of Windows in the next update on 8 November. The company has coordinated with Google and Adobe to investigate the attacks and to create a patch for down-level versions of Windows.
In the mean time, Myerson recommended that customers upgrade to Windows 10, saying that Windows Defender Advanced Threat Protection would be able to detect Fancy Bear’s activity.
Fancy Bear has been in headlines recently over a number of hacks, particularly ones involving the Olympics.
The collective, claiming to stand for “fair play and clean sport”, launched its #OpOlympics campaign this summer. Fancy Bear claims to have hacked into World Anti-Doping Agency databases. Recently Fancy Bear has revealed medical information about top American athletes Serena Williams, Venus Williams and Simone Biles.
The hacking group was also implicated in attacks on the Democratic National Committee.
Myerson said in the blog: “Strontium frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.
“Once inside, Strontium moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.”