Microsoft Says Hacking Group Targeted Windows, Adobe Flash

(Bloomberg) — Microsoft Corp. said a computer-hacking group that has previously targeted government agencies attacked its Windows software and Adobe Systems Inc.’s Flash program.

The company will release a security patch for its operating system on Nov. 8, Windows chief Terry Myerson said Tuesday in a blog post on Microsoft’s website. Users of Microsoft’s Edge browser on the latest update to Windows 10 are protected from the flaw, the company said.

The security exploit, by a group Microsoft calls Strontium, was discovered by Google’s Threat Analysis Group and announced on Monday. The attacks, which sought to take control of a user’s computer, took advantage of so-called zero-day flaws, or security holes that are unknown to the product’s vendor and therefore no patch has yet been developed.

"Strontium is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes," according to the Microsoft blog. "Microsoft has attributed more 0-day exploits to Strontium than any other tracked group in 2016."

The group is also known as Fancy Bear and APT 28 and has been previously linked to the Russian government and U.S. political hacks, Reuters reported.

Google’s Disclosure

In a blog post on Monday, Google said it reported the issue to Adobe and Microsoft on Oct. 21, and Adobe updated Flash five days later. The internet-search giant, a unit of Alphabet Inc., said its policy is to disclose actively exploited security vulnerabilities after seven days.

Still, Microsoft expressed displeasure with Google for announcing the hack before a patch for Windows was available.

"Responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure," Myerson wrote in the blog. "Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."