Dive Brief:
- Microsoft said a zero-day vulnerability in the Windows kernel drivers that Google exposed nine days ago has now been patched.
- The vulnerability was already reportedly exploited in public cyberattacks, though victims have not been identified.
- Microsoft has accused the hacking group Strontium — which has been linked to Russia — for carrying out the attacks.
Dive Insight:
Zero-day vulnerabilities are on the rise. A report released in April by Symantec found there were 54 zero day vulnerabilities discovered in 2015 — more than twice the number found in 2014. Security experts say the increase is a sign of cybercrime’s increasing complexity. Hackers can exploit almost any security vulnerability and without concerted efforts by enterprises to ensure cyber hygiene and secure systems, an unprepared company could find it is the next target.
Google disclosed the Windows vulnerability on Oct. 31, 10 days after it privately reported it to Microsoft. Google’s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited. The move angered Microsoft, which failed to publicly acknowledge the bug until after Google publicly disclosed it.
"Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk," Microsoft's top Windows executive, Terry Myerson, wrote in a Nov. 1 post.