Following a disclosure from Google about a flaw in Microsoft’s Windows operating system yesterday, Microsoft itself appears to have said that the bug is being “actively exploited” by a hacking group previously linked to the Russian government.
A patch won’t be coming for the flaw until November 8th, according to Reuters.
DON’T MISS: Now is an awful time to buy a new laptop
There’s no details as of yet as to how precisely hackers are exploiting the flaw, or how widespread any attack is.
According to Google’s description of the security flaw, it’s limited but potentially very serious. “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape.” Some reports have said that the privilege escalation requires an older, unpatched version of Flash to be installed, which mitigates the risk a little. Google has also patched Chrome, so an up-to-date version of Chrome shouldn’t allow the flaw to be exploited.
Microsoft harshly criticized Google’s early disclosure of the flaw yesterday. In general, 0-day exploits like this are only publicly announced once the software maker (in this case, Microsoft) has had time to develop a fix and offer it to users. But because of the short timeline here — Google only notified Microsoft of the flaw on October 21st — Microsoft hasn’t had time to fix things yet.
A Windows patch is in the works, but in the mean time, there’s little you can do to protect yourself from any attack. Patching Adobe Flash and Chrome may help to reduce the likelihood of it being exploited on your computer, but until Microsoft issues a real patch, be careful what you visit, what you download, and particularly what email links you follow. But you were already doing that anyway, right?