The rivalry between Microsoft and Google might not match the one between Donald Trump and Hillary Clinton, but it goes back many more years, and it’s surfacing again this week in a story with implications for online security, the U.S. election and the ongoing political tension between the U.S. and Russia.
Microsoft says an unpatched Windows flaw and a vulnerability in Adobe Flash have been exploited by a hacking group the company calls “Strontium” for the purpose of a “low-volume spear-phishing campaign” that targeted “a specific set of customers.” Spear-phishing is an attack that involves sending official- or authentic-looking emails to trick users into clicking on a file or visiting a site that exploits a software flaw to gain access to their computer.
Strontium is also known as “Fancy Bear,” which has been linked to the Russian government in connection with the Democratic National Committee hacks. Microsoft didn’t identify the customers targeted by the attack, or give a specific timeline for when the attacks occurred.
Adobe has patched its Flash bug, but Microsoft won’t have a fix for the Windows vulnerability until Nov. 8. (Yes, election day.) Google disclosed the flaw publicly on Monday under its policy of going public with the information seven days after telling another vendor about a critical vulnerability being actively exploited. For lower-priority bugs, Google waits 60 days before going public.
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” said Terry Myerson, executive vice president of Microsoft’s Windows and Devices Group, in a post identifying Strontium as the group behind the attacks.
Microsoft says that customers using the Microsoft Edge browser on the Windows 10 Anniversary Update “are known to be protected from versions of this attack observed in the wild.” However, the vast majority of Windows users are still using older versions of Microsoft’s operating system.
Myerson writes in his post, “To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.”
We’ve contacted Google for comment on Microsoft’s statement.
Meanwhile, NBC News reports that Russia is making a new effort to wean itself off of Microsoft software, reporting that Russian President Vladimir Putin is “specifically targeting software giant Microsoft for its alleged ties to U.S. intelligence.” Russia is also reportedly cracking down on LinkedIn, which Microsoft is in the process of acquiring for more than $26.2 billion.
A Microsoft spokesman said in a statement to NBC News, “We don’t spy on anyone. We don’t work with any government to spy on others, and we never would.”