MICROSOFT IS USING a new tactic to get people to upgrade to Windows 10 by warning that those who don't could fall victim to Russian hackers.
The company said in a security advisory that a hacking group previously linked to the Russian government and US political hacks has exploited a newly discovered Windows zero-day flaw that was outed by Google earlier this week.
Microsoft claimed that the hacking group 'Strontium', more commonly known as 'Fancy Bear', had carried out a small number of attacks using spear phishing techniques.
The hackers first compromised Adobe Flash, according to Microsoft, before using a second exploit to target a Windows kernel vulnerability in Vista through to Windows 10. From there, the so-called Fancy Bear hackers were able to install a backdoor on a victim's PC.
Terry Myerson, executive vice president of Microsoft's Windows and Devices division, said: "Recently, the activity group that Microsoft Threat Intelligence calls Strontium conducted a low-volume spear phishing campaign.
"This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers."
Myerson added that Microsoft "has attributed more zero-day exploits to Strontium than any other tracked group in 2016".
Microsoft said that a patch to protect users against this latest threat will be released on 8 November, but Myerson has advised customers to upgrade to the latest version of Windows 10 to be protected immediately. Because, of course, he did.
"Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild," he said.
Microsoft thanked Google for bringing the vulnerability to its attention, although it was not too pleased that the firm made it public.
"We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," the firm said.
"Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."
Google, on the other hand, maintained that disclosing known and "actively exploited” vulnerabilities is in the interest of people seeking to secure their systems. µ
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers
Notch-equipped handset quickly overtakes its cheaper siblings
Good news for developers; a collective shrug for everyone else