Microsoft acknowledges software flaw that provides loophole for hackers

CBS NEWS A software flaw in some of Microsoft’s older versions of Windows and Abode has allowed hackers a way to attack computer systems, Microsoft acknowledged Wednesday. The vulnerability has reportedly already been exploited by hacking attacks tied to foreign governments.

In a blog post written by one of the company’s executive vice presidents, Terry Meyerson, Microsoft said a hacking group it called STRONTIUM has used this loophole in recent “spear phishing” attacks. Spear phishing involves hackers sending realistic-looking emails or links targeted to users to gain access to their personal data or accounts.

STRONTIUM is a Microsoft code name based off the company’s internal practice of giving hacking groups the names of chemical elements. In cybersecurity circles, STRONTIUM is widely understood as the company’s pseudonym for the well-known hacking group known as Fancy Bear, which is tied to the Russian government. (In a 2015 intelligence report, Microsoft says Fancy Bear displays “activity similar to the activity observed from STRONTIUM.”)

Fancy Bear is believed to be behind the embarrassing election-season hack of the Democratic National Committee. Microsoft would not comment further on Wednesday.

Microsoft described STRONTIUM as a group that routinely targets “government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes.” The company added that it has linked more exploits through this loophole to STRONTIUM than any other group tracked this year.

The hackers move from victim to victim through compromised email accounts, entrenching itself in a network of victims “as deeply as possible to guarantee persistent access” and steal “sensitive information,” Microsoft said.

The fix for older Windows editions will be available publicly on Nov. 8, which happens to be Election Day, Microsoft said. Adobe has already issued its patch.

In the meantime, to avoid the vulnerability, Microsoft recommends that all customers upgrade to Windows 10, which does not have this flaw.

In an interesting twist, it was rival company Google that publicly disclosed the Microsoft security vulnerability on Monday. Microsoft criticized Google for sharing the vulnerability before a patch was available, which it said was “disappointing, and puts customers at increased risk.”