Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Discloses Unpatched Windows GDI Vulnerability

An unpatched vulnerability affecting the Windows Graphics Device Interface (Windows GDI) was publicly disclosed last week after Microsoft failed to address it within 90 days after being notified.

An unpatched vulnerability affecting the Windows Graphics Device Interface (Windows GDI) was publicly disclosed last week after Microsoft failed to address it within 90 days after being notified.

The issue was disclosed by Mateusz Jurczyk, an engineer with Google’s Project Zero team, who initially discovered it along with other bugs in the user-mode Windows GDI library (gdi32.dll) in March 2016. Microsoft attempted to address these issues with the June 2016 set of monthly patches (security bulletin MS16-074), but apparently failed to do so.

While taking a look at the patched gdi32.dll, the Google security researcher discovered that some of the bugs were indeed resolved, but that others were still presenting security risks. In November 2016, the researcher filed another report to inform Microsoft on his findings.

As per Google’s Project Zero’s policy, vendors are provided with 90 days to resolve the reported vulnerabilities before they become public knowledge. As soon as the 90 days passed, the report went public, along with a proof-of-concept published by Jurczyk.

This public disclosure, however, appears to have been timed with the publishing of Microsoft’s February 2017 security update, which was expected to happen on February 14, but was delayed for one month “due to a last minute issue that could impact some customers.” The patches were expected to resolve a previously revealed high risk SMB 0-day as well.

Tracked as CVE-2017-0038, the newly disclosed vulnerability is related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records. Last year, Google’s Jurczyk found missing checks “in at least 10 different records,” and says that Microsoft was able to nail only some of them with MS16-074, but that some of them are still posing security risks.

Jurczyk notes that a careful audit of all EMF record handlers that are responsible for dealing with DIBs is required, as it would ensure that all of them can correctly enforce all four conditions. If not all conditions are enforced, invalid memory access (and subsequent memory disclosure) while processing the bitmaps is possible.

The security researcher managed to reproduce the vulnerability locally in Internet Explorer and remotely in Office Online, via a .docx document containing the specially crafted EMF file. The flaw is considered Medium severity.

Advertisement. Scroll to continue reading.

In November last year, Google went public with information related to a 0-day vulnerability in Windows only 10 days after informing Microsoft on the matter, although a patch hadn’t been released yet. That disclosure too fell within the search giant’s policy, which gives vendors a 7-day deadline to resolve issues actively exploited by malicious actors.

A couple of years ago, Google made changes to its vulnerability disclosure policy after being criticized for enforcing it too strictly.

Related: Microsoft Patches Several Publicly Disclosed Flaws

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.