Major Windows Vulnerability Disclosed by Google before Patch Available

| by Sergio De Simone Follow 18 Followers on Nov 02, 2016. Estimated reading time: 1 minute |

A major, currently exploited vulnerability in the Microsoft Windows kernel has recently been disclosed by Google’s Threat Analysis Group, before Microsoft made public a patch or any mitigation advice.

The vulnerability disclosed by Google depends actually on two bugs, one in the Windows kernel and the other in Adobe Flash. While Adobe has promptly provided a security patch, Microsoft had provided no advisory or fix at the time when Google security engineers decided to disclose the vulnerability, which they deem “particularly serious” because it is actively exploited. Adobe also remarked that:

an exploit for CVE–2016–7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10.

After Google’s disclosure, Microsoft has publicly acknowledged the vulnerability and promised a patch will be available on November 8, after being “tested by many industry participants”. Microsoft’s executive vice president Terry Myerson also provided some more details about Strontium, the organization that is known to be exploiting the vulnerability:

Strontium is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. [… It] will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.

According to Myerson, though:

Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

Google’s early disclosure is in accordance with Google’s own disclosure policy, which grants 60 days for companies to fix critical vulnerabilities, but requires to take action within seven days through either a fix or mitigation advice for actively exploited vulnerabilities. Early disclosure is thought by Google as a way to grant users the possibility of protecting themselves before becoming a target.

Microsoft already criticized Google’s vulnerability disclosure timeline in the past alleging that “responding to security vulnerabilities can be a complex, extensive and time-consuming process” as a consequence of the variety of environments involved. The different positions of the two companies are echoed by the contrasting views of a number of security researchers.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you