Windows Bug Exploited For Six Months

John Lister's picture

A Windows bug patched last month had been exploited for six months by hackers linked to North Korea. Microsoft reportedly knew about it and the delay in fixing it may have been down to internal bureaucracy.

Security company Avast found the bug last August and reported it to Microsoft. At the time it was already a zero-day bug, meaning there was evidence hackers not only knew about the bug but where taking advantage of it. That meant Microsoft had "zero days" head start in coming up with a fix and rolling it out before hackers exploited it.

Microsoft released a fix in the February "Patch Tuesday" update but didn't publicly confirm it had been exploited until the end of the month.

North Korea Behind Attacks

According to Avast, members of the Lazarus hacking group were exploiting the bug. They are thought to be backed by North Korea and their purpose is to cause trouble for other countries and raise funds for the totalitarian state, which is subject to severe restrictions on international trade.

Microsoft has said the risk is that attackers could get "system" level access in limited circumstances, but would need to be logged on to the system in the first place. In simple terms, system level access, also called kernel-level access, means having the same access to the computer that Windows itself has. (Source:

Avast says the big problem is Microsoft doesn't consider the move from having administrator access to Windows to having kernel access to be a "security boundary" and thus doesn't treat such bugs as the highest priority.

Hackers Disable Security Tools

According to Avast, that's led to a major problem because the Lazarus hackers are able to use the kernel access to disable security software. They can then install malware known as rootkits which not only have the potential to control the operating system itself, but could do so undetected. (Source:

Ultimately, the dispute comes down to a simple difference in views: Avast says hackers able to go from administrator access to kernel access is a major danger, while Microsoft says its not a priority problem because it's so difficult to get administrator access remotely in the first place. Avast's revelations about the hackers extended period exploiting this bug suggests its viewpoint has proven more relevant.

What's Your Opinion?

Should Microsoft warn the public as soon as it knows a bug is being exploited? Which should software firms prioritize: bugs that are easier to exploit or bugs that could cause more damage when exploited? Are manufacturers of security software a trustworthy source on the level of risk?

Rate this article: 
Average: 5 (11 votes)


OadbyPC's picture

Avast told them in August but MS could well have known months before then if it took them 6 months from August to bother to fix it!

anniew's picture

Not being an expert, I want to know how to check that I don't have the malware. I see that I got the patch update last month. Anything I can run to check on this mess?

olds97_lss's picture used to have a free version you could run on demand. The paid version runs always in the background. I used it many years ago to try and bring a computer back from the brink due to being infected by malware. It did it's job. I bought the lifetime license then and have been using it since. I think I was using windows XP at the time, so, it's been a while.

They only offer a monthly/annual license now, but it appears the free on demand version still exists.

Dennis Faas's picture

The free version still exists, but you will be opted into the trial paid version and nagged constantly to pay for it. This is what I do when I think I might be infected:

1. Download Malwarebytes antimalware free.

2. Click the "person" icon (with a circle around it) in the top right corner.

3. Click the "my subscription" option, then click on deactivate.

4. Close the "my subscription" window, then click the "scan" button next to the "Scanner" heading on the top left-ish of the screen. Do a full scan.

5. Remediate / quarantine any threats if found if you agree they are threats.

6. Uninstall Malwarebytes antimalware. If you don't, it will keep nagging you with offers to upgrade to the full paid version.

Note that I don't recommend installing Malwarebytes (and keeping it installed) or any other "protection" software as it will slow you down, especially if the PC is more than 5 years old, you only have 8GB of memory or less, and especially if you don't have a solid state drive (SSD) installed.

The more "protection" you have installed, the more process and resource scanning needed to scan every action you take on the system, and the more latency you will introduce to everything you do. Windows already has a firewall and antivirus program built into the operating system and is adequate so long as the system is patched and supported by Microsoft. Disk image backups are your friend if you need to restore your system.

anniew's picture

Thank you both for the suggestions and your details, Dennis! I ran malwarebytes today and then uninstalled. I think I used it at one time, but became disenchanted.
Thanks again,