Tech companies Google (NASDAQ: GOOGL) and Microsoft (NASDAQ: MSFT) are currently feuding over the disclosure of a critical vulnerability, while Russian hackers are exploiting it. Microsoft has vowed to patch the flaw by next week.
On October 31, Google disclosed both Adobe and Microsoft had zero-day vulnerabilities to protect users. Google’s Threat Analysis Group reported such flaws to both companies on October 21.
Adobe rapidly took care of it, but Microsoft apparently didn’t do the same. So, by Google’s policy, the company decided to make public the Windows 32K system vulnerability that a Russian hacker group is actively exploiting.
The hacker group, known as STRONTIUM, Fancy Bear or APT 28, is using the vulnerability to send people fake emails to steal personal data from them.
They are believed to be behind the stolen emails and chat transcripts from the Democratic National Committee’s computer network.
Microsoft’s executives said Google’s decision put users at risk
Google gave Adobe and Microsoft 7 days to issue an advisory or fix the problem. Adobe launched a patch for the Adobe Flash player on October 26 available via Adobe’s updater and Chrome auto-update.
However, Microsoft did not take prompt measures, and Google’s Threat Analysis Group decided to expose the Microsoft’s lack of action.
Needless to say, Microsoft did not like it. Yesterday, Windows and Devices executive VP Terry Myerson released a company statement addressing the issue. Microsoft added customers using Microsoft Edge with the Windows 10 Anniversary Update were safe.
Myerson criticized Google’s decision, saying it puts customers at increased risk. Microsoft is currently working with Google and Adobe to test and create patches for all Windows versions. The company plans to release them on the next update on Tuesday, November 8.
Microsoft gave details about STRONTIUM’s activities
According to Microsoft, STRONTIUM has been held responsible for more zero-day exploits than any other tracked hacker group in 2016.
Through malicious e-mails, the Russian group takes over the victim network and steals sensitive information such as bank account passwords.
STRONTIUM, linked to the Russian government, usually targets government agencies, diplomatic institutions, military organizations, and affiliated private sector entities.
Source: Google Online Security Blog, Microsoft Malware Protection Center