Last week, Google’s Threat Analysis Group announced serious vulnerabilities in Adobe Flash and the Windows operating systems operating “in the wild”. These vulnerabilities, known as “Zero-Day Vulnerabilities” made it possible for a Russian hacking group called Strontium, or Fancy Bear, to compromise into vulnerable computers via malicious web pages. Most versions of Windows, from Windows Vista to Windows 10, are affected by this vulnerability.
Microsoft has promised to have a complete patch by November 8th, and Adobe has already released an update for their Flash software. The hackers used the vulnerability in Flash to break the first layer of security around the target’s web browser, giving them enough access to use the other exploit in Windows to fully compromise the target PC. So the good news is that by updating to the latest version of Adobe Flash Player, you are protected against the primary attack method seen in the wild so far.
The announcement of this vulnerability has caused some issues between Google and Microsoft. Google followed their standard policy in informing both Adobe and Microsoft of this vulnerability a week before making the public announcement. This was enough time for Adobe to patch their software, but for Microsoft a week was not enough time to develop, test and deploy a patch for all Windows operating systems. Microsoft is now claiming that Google announcing the vulnerability before they have a fix for it is dangerous to the public.
To add some more intrigue to this announcement, the hacking group that took advantage of the vulnerability, Fancy Bear, is the same group that has been linked to the Democratic National Committee data breach, the World Anti-Doping Agency hack, and many other government agency hacks around the world. These are some pretty serious attacks for a group with such an…interesting name.
Beyond the obvious opportunity for a bear pun, there are some pretty interesting questions here. The obligations for tech companies and security researchers around ethically and responsibly reporting and dealing with security vulnerabilities is nothing new within tech circles, but it’s getting more public attention especially in this election cycle with allegations and counter-allegations of cyber trickery working their way into mainstream news. And everyone is getting a first-hand primer on how cyber security increasingly and critically matters for the “real world.”
Let us know your thoughts on our Facebook or Twitter! We want to know how you would answer these questions. Aren’t sure if you are protected from threats like these? Give us a call!
For more information on good ways to keep your computer safe take a look at this post from Microsoft.
We mentioned above to make sure and update your Adobe Flash Player. More information about the update can be found here… though at this point just uninstalling Flash entirely is an entirely valid solution if you can live without it.