Our commitment to our customers’ security

This guest blog post is by Terry Myerson / Executive Vice President, Windows and Devices Group

Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.

Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.

We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.

We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

To address these types of sophisticated attacks, Microsoft recommends that all customers upgrade to Windows 10, the most secure operating system we’ve ever built, complete with advanced protection for consumers and enterprises at every layer of the security stack. Customers who have enabled Windows Defender Advanced Threat Protection (ATP) will detect STRONTIUM’s attempted attacks thanks to ATP’s generic behavior detection analytics and up-to-date threat intelligence.


STRONTIUM: A brief history

Microsoft aggregates the details of threat activity—malware, infrastructure, victim classes, and attacker techniques—into activity groups to improve our readers’ ability to understand the reasons behind cyber attacks. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. Once inside, STRONTIUM moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.

The exploits

STRONTIUM must accomplish three objectives in order for the attack to succeed:

  1. Exploit Flash to gain control of the browser process
  2. Elevate privileges in order to escape the browser sandbox
  3. Install a backdoor to provide access to the victim’s computer

Microsoft has several threat prevention and exploit mitigation features available to counter these steps.

Adobe Flash exploitation: CVE-2016-7855

Based on the analysis performed by the Windows Defender ATP Exploit research team and the Microsoft Security Response Center (MSRC), the vulnerability in Adobe Flash leveraged by STRONTIUM was found to be a use-after-free issue affecting ActionScript runtime code. Adobe has since released an update to fix this vulnerability. Microsoft is actively partnering with Adobe to implement additional mitigations against this class of exploit.

Elevation of privileges

The Windows kernel vulnerability targeted by STRONTIUM’s EoP exploit is present in Windows Vista through Windows 10 Anniversary Update. However, prior to this attack, Microsoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component. These Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.

Backdoor installation

Following successful elevation of privilege, a backdoor is downloaded, written to the file system, and executed into the browser process. However, the backdoor DLL (along with any other untrusted software) can be blocked by implementing strict Code Integrity policies. Microsoft Edge natively implements Code Integrity to prevent this common post-exploitation step. Users of Internet Explorer and other browsers can also be protected through the use of Device Guard.

Detecting the attack with Windows Defender ATP

Multiple behavioral and machine learning detection rules alert on various elements of the kill chain throughout STRONTIUM’s current attack. Windows Defender ATP can generically detect, without any signature, multiple stages of the attack such as the creation of uncommon DLL libraries on disk from the browser process, unexpected changes of process token and integrity levels (EoP), and the loading of recently created DLL libraries under abnormal process conditions (Figure 3).


Windows Defender ATP demonstrates a timeline of attack

Figure 3: Windows Defender ATP Detection of Kernel EOP used by STRONTIUM

Additionally, threat intelligence and IOCs specific to this attack unearthed by Microsoft Threat Intelligence have been added to Windows Defender ATP and Office 365 ATP. These alerts work alongside the existing threat summary and in-depth profiles on STRONTIUM available in the Windows Defender ATP customer portal.

For more information, check out the features and capabilities of the Windows Defender ATP service in Windows 10 and read more about why a post-breach detection approach is a key component of any enterprise security stack.


Special thanks to Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance in investigating these issues.

Comments (11)

  1. Akshay C.S says:

    I’m using Chrome on Win7. Am I not protected?

    1. mehdi says:

      yes you are not

  2. Right, like discover this site in Twitter.

  3. Lutz Barz says:

    Spiegel told us a while back how vunerable Flash Player is. I’ve got mine permanently on off. Way to go.

  4. James Chong says:

    Was the zero day patch released to address the vulnerability in the Windows down level kernel? I’m not seeing anything when checking updates today. If so please reference the MS security bulletin. Thank you.

  5. adwbust says:

    I manually installed these updates on Vista SP2 x86 and after a restart, Aero was disabled (3199120 buggy?) and on system tray there was a notification for error related to system or event “logging” (3193706 buggy?). So I thought the updates just needed another restart. I tried to restart but Windows was just stuck on Desktop wallpaper and isnt restarting! I had to hold-press the power button! After the cold/hard restart, everything seems fine. I now checked for updates using Windows Update. It still took too long! After 3 hours it’s still checking for updates!


    I restarted and and reread Bulletin summaries for Nov 2016. The 3196718 and 3198234 updates link to 3193418 on MS Update catalog! The webmaster should be fired! After manually installing 3196718 and 3198234, I checked for updates using Windows Update again. This time it just took around 1 hour for checking for updates and it found additional updates. I installed them and restarted. So far, all is ok.

    As a bonus, 3203859 links to a dead page on MS Update catalog. Dumb webmaster!

    Seriously when will you fix this slow “checking for updates” on Vista?! To speed it up, I first have to manually install updates for Windows kernel and/or graphics every month! It’s making installing updates such a bother! It’s like youre discouraging us to check for and install updates! Pathetic!

  6. Carlos Viscarra says:

    Did the patch get released?

  7. Karim El-Melhaoui says:

    Would EMET protect against this exploit in Internet Explorer with default configuration?

  8. Mike Potter says:

    Is the kernel fix available? Searching Internet have not seen indicators the kernel fix is available. As a precaution am not using my Windows 10 64bit Prof laptop for any financial access/transactions until fixed.

  9. bilwediz says:

    Why cant Advanced Threat Protection be given to all Microsoft Customers. Windows 10 is a great innovation and we are constantly told its the most Secure OS ever . Everyone is aware that Cyber Crime is ubiquitous and an evil war against the public, so why cant we have every tool available Microsoft please hear our plea.

  10. joker fallaga says:

    I have exploit 0day windows
    Building_virus_0day windows no antivirus no defender ditected

Skip to main content