14 DAY TRIAL // Windows users are once again exposed to attacks, as a Google Project Zero engineer has disclosed an unpatched vulnerability in the operating system.
Google Project Zero member Mateusz Jurczyk discovered a vulnerability in gdi32.dll which allows attackers to compromise Windows systems, and according to his blog post, this flaw was first reported to the software giant in March 2016.
Microsoft acknowledged the vulnerability and attempted to patch it with MS16-074 released in June 2016, but as Jurczyk puts it, only part of the problem was actually fixed.
“We've discovered that not all of the DIB-related problems are gone,” he said. “As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” he explains for the more tech-savvy users.
Microsoft patch not fixing the issue
Jurczyk reached out to Microsoft once again to report the vulnerability on November 16, 2016, but given the fact that the company didn’t release a new patch, he decided to make it public as per the Google Project Zero disclosure policy. As part of this program, vendors have 90 days to fix security issues after the first notification is submitted, and should they fail to patch them, details are then made public.
Microsoft hasn’t yet commented on this new disclosure, but the company’s next patching takes place on March 14, as this month’s Patch Tuesday rollout has already been delayed. This means that users remain vulnerable to attacks at least until next month, if a fix for this vulnerability is indeed included in the patching cycle. It’s not known if a patch for this bug was included in the February 2017 Patch Tuesday.
On the good side, exploiting this security flaw involves deploying a specially crafted EMF file on a vulnerable machine and this can only be done with direct access to the computer. It goes without saying that users should stay away from such files coming from sources they cannot trust at least until a patch is delivered.
Previous Windows vulnerability disclosures
This isn’t the first time Google goes public with an unpatched security flaw, as a similar disclosure took place in November 2016, when the company published details of a Windows security flaw allowing cybercriminals to gain administrator privileges on vulnerable systems.
At that time, Microsoft criticized Google for disclosing the security bug, explaining that the search giant put all windows users “at increased risk.”
“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Windows boss Terry Myerson said at that point.
We’ve reached out to Microsoft to ask for more information on this new bug and we’ll update the article when an answer is provided.