Microsoft said Tuesday that it will issue a fix next week for a Windows vulnerability it says is being exploited by hackers linked to Russia’s government.
The company said in a blog post that it would release the fix November 8 as part of its normal patch cycle, adding that a well-known hacking group was already using the newly discovered flaw in a hacking campaign that sends people bogus emails in an attempt to con them out of personal data. The bug, which was publicly revealed by Google on Monday, can be used to bypass the security in the Windows32K system.
The revelation of the bug has caused some friction between Microsoft and Google. The search giant said it gave Microsoft 10 days to issue an advisory or a fix but that Microsoft failed to act. Google went public after that because it rated the bug as “critical” and learned it was being actively exploited. Microsoft hasn’t addressed the delay in issuing a fix but disputed Google’s assessment of the bug’s threat, adding that Google’s disclosure “could put customers at potential risk.”
Microsoft said a hacking group known as Strontium was behind email attacks that took advantage of the flaw. The group, more widely known as “Fancy Bear” and APT 28, has also been linked to a series of hacks this summer, including one in which emails and chat transcripts were stolen from the Democratic National Committee’s computer network.