Connect with us

Hi, what are you looking for?



Google Discloses Unpatched Windows GDI Vulnerability

An unpatched vulnerability affecting the Windows Graphics Device Interface (Windows GDI) was publicly disclosed last week after Microsoft failed to address it within 90 days after being notified.

An unpatched vulnerability affecting the Windows Graphics Device Interface (Windows GDI) was publicly disclosed last week after Microsoft failed to address it within 90 days after being notified.

The issue was disclosed by Mateusz Jurczyk, an engineer with Google’s Project Zero team, who initially discovered it along with other bugs in the user-mode Windows GDI library (gdi32.dll) in March 2016. Microsoft attempted to address these issues with the June 2016 set of monthly patches (security bulletin MS16-074), but apparently failed to do so.

While taking a look at the patched gdi32.dll, the Google security researcher discovered that some of the bugs were indeed resolved, but that others were still presenting security risks. In November 2016, the researcher filed another report to inform Microsoft on his findings.

As per Google’s Project Zero’s policy, vendors are provided with 90 days to resolve the reported vulnerabilities before they become public knowledge. As soon as the 90 days passed, the report went public, along with a proof-of-concept published by Jurczyk.

This public disclosure, however, appears to have been timed with the publishing of Microsoft’s February 2017 security update, which was expected to happen on February 14, but was delayed for one month “due to a last minute issue that could impact some customers.” The patches were expected to resolve a previously revealed high risk SMB 0-day as well.

Tracked as CVE-2017-0038, the newly disclosed vulnerability is related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records. Last year, Google’s Jurczyk found missing checks “in at least 10 different records,” and says that Microsoft was able to nail only some of them with MS16-074, but that some of them are still posing security risks.

Jurczyk notes that a careful audit of all EMF record handlers that are responsible for dealing with DIBs is required, as it would ensure that all of them can correctly enforce all four conditions. If not all conditions are enforced, invalid memory access (and subsequent memory disclosure) while processing the bitmaps is possible.

Advertisement. Scroll to continue reading.

The security researcher managed to reproduce the vulnerability locally in Internet Explorer and remotely in Office Online, via a .docx document containing the specially crafted EMF file. The flaw is considered Medium severity.

In November last year, Google went public with information related to a 0-day vulnerability in Windows only 10 days after informing Microsoft on the matter, although a patch hadn’t been released yet. That disclosure too fell within the search giant’s policy, which gives vendors a 7-day deadline to resolve issues actively exploited by malicious actors.

A couple of years ago, Google made changes to its vulnerability disclosure policy after being criticized for enforcing it too strictly.

Related: Microsoft Patches Several Publicly Disclosed Flaws

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.