A security flaw that hackers were actively taking advantage of has been squashed in Windows. Microsoft released the fix as part of Patch Tuesday, its monthly round of security fixes, reports ZDNet.
Microsoft has said that this particular fix, which it rates “important” in a security bulletin, addresses multiple elevation of privilege vulnerabilities. Attackers were able to exploit these due to the improper way in which the Windows kernel-mode driver handles objects in memory.
To take advantage, an attacker would need to trick a logged-in Windows user into opening a specially-made application. Then, the hacker would get full user rights and, with it, the ability to run software, delete data and make new accounts.
The security flaw was first made public by Google early last week, before Microsoft acknowledged it in a blog post. Windows president Terry Myerson reported that a Russian hacking group known as STRONTIUM had used the flaw to conduct a low-volume spear-phishing attack.
Myerson also said that the flaw did not affect users of the Edge browser on Windows 10 Anniversary Update. Microsoft’s November security patches are available via the usual update channels.