Google discloses another unpatched Windows vulnerability
Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016.
The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however.
Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. He described methods back then that would allow attackers to exploit an issue in the dynamic link library. The issue was that records failed to perform exhaustive sanitization.
Microsoft released the security bulletin MS16-074 in June 2016 which fixed issues in the Windows Graphics Component (gdi32.dll) among other things.
Turns out, Microsoft did not do a good enough job in resolving the issues described on Google's Project Zero website.
Jurczyk checked the updated version of gdi32.dll again to see if the patching was successful, or if vulnerabilities would still exist.
Turns out, the patching was not sufficient. He notes in the new report that MS16-074 did fix some of the bugs, but not all of them.
However, we've discovered that not all of the DIB-related problems are gone.
[..]
As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.
Google gives companies 90 days after disclosure of vulnerabilities to fix the issue. If the time period elapses without a patch that is made available to the public, the vulnerability is disclosed to the public.
Jurczyk reported the issue to Microsoft on November 16, 2016. Microsoft did not release a patch in time, which is why the system revealed the issue and the example exploit code.
Good news for Windows users is that the issue should not be of major concern as it requires access to the machine to exploit the issue. Woody notes that an attacker would have to log on to the machine to execute a specially prepared EMF file to exploit the issue.
Still, this is another unpatched Windows vulnerability after the zero-day SMB vulnerability that came to light in the beginning of February 2017. You need to add the unpatched Flash Player in Edge to that as well.
It is possible that Microsoft had plans to release a security update for the reported vulnerability on the February 2017 Patch day. But that patch day did not happen, as Microsoft announced the postponing of the patch day to March.
We don't know whether Microsoft has a patch for the issue in the pipeline that would have made Google's deadline, or if a SMB vulnerability patch would have been made available in February.
Microsoft has yet to reveal why it postponed the patch day a whole month.
Pretty ironic that google can point out vulnerabilities in other software but cannot sort its own stuff out lol.
Google is kicking them while they’re down. lol
I wonder if any of these bugs would affect Wine? Its true that Wine is not a complete OS, and Wine does not do low-level things, but Wine does contain a GDI implementation amongst other things, and so bugs that affect GDI in Windows may very well affect Wine too.
If 90 days (3 months) isn’t enough time to plug a security hole there’s something badly wrong with the way you’re developing software, you either need to hire more staff or get your priorities right.
@Bigg Eddie
Yeah, it’s the curse of scrum and agile. The worst thing that happened to software development, which forces people to do incremental, useless changes, while both bigger issues and focus on proper code are pushed aside.
If it weren’t for useless business couches and HR departments, everything would look different.
Did you mean to type “useless business douches”? Just curious…
Look at your (Martin) 8th sentence, and think whats wrong with it. And you wounder why there are so many programing errors!? That’s probably why Micro could not fix it with in the allotted time given by Google. Everyone is in a hurry to go no were. “No one has time to do it correctly the first time, However, they they have time to do it again!”
Are you serious?
*nowhere, not “no were”.
If you’re going to be a prickly pedant, do it correctly the first time.
Couldn’t you just quote the 8th sentence instead of making us go back and count? :\
I assume Bigg Eddie is attempting a humorous correction, but to me it’s an annoying electron waster. “whats” = what’s, “wounder”=wonder, “programing”=programming, “with in”=within, “no were”=nowhere, and several more errors you can find if you want to look.
I was promissed security on Windows 10 :(
Don’t confuse “the most secure version of Windows ever” with actual security.