How to avoid Windows win32k.sys security flaw
On October 31st, Google posted on its security blog outlining a vulnerability in the Windows kernel which would essentially allow hackers to bypass the usual security measures and potentially infect the PC with malware, spyware and more.
Microsoft has not yet patched the flaw, and Google claims it is already being “actively exploited”. In fact, Microsoft has confirmed this and said in a TechNet blog that the group behind the “low-volume” attack is called (internally by Microsoft Threat Intelligence) STRONTIUM.
What is the threat?
The issue is a ‘security hole’ in the Windows kernel, which applies to all versions of Windows. Google says the vulnerability “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”
Essentially it means that – as we’ve said above – hackers can gain privileges for their software so that it can break out from the usual protected area (the sandbox) of a web browser and install malicious code on your computer.
However, according to Microsoft, STRONTIUM has to accomplish three things for an attack to succeed. First it must exploit Adobe Flash. Second it must “elevate privileges” to escape the browser’s sandbox (the walled-off area which it is limited to) and third, install a backdoor to gain access to the victim’s computer.
Google’s blog says that Adobe has already fixed the vulnerability in Flash within five days of being notified, but Microsoft will not patch Windows until next Tuesday, 8 November. The fix is currently being “tested by many industry participants”.
How can you protect yourself from the win32k.sys flaw?
First, make sure you have the latest version of Flash. You can either completely uninstall it from your computer through the Control Panel, use the Flash Updater utility on your computer to get the latest version or go to Adobe’s website to manually install the update.
If you’re running Windows 10, use either the latest version of Chrome or Microsoft’s Edge web browser as these already provide protection from the versions of this threat.
In Terry Myerson’s post, he also says “Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence”.
Again, this relates to Windows 10 only, and if you’re running a previous version of Windows, be sure to check your antivirus software is up to date. The only way to be truly protected is to disable all networking on that computer or leave it turned off until the patch is available next Tuesday.
Or, as Microsoft points out, you could upgrade to Windows 10 and use Edge and Windows Defender.