Security Experts:

Temporary Fix Available for Windows GDI Vulnerability

A temporary fix is available for the Windows Graphics Device Interface (Windows GDI) vulnerability that was disclosed a couple of weeks ago.

The flaw was initially discovered by Mateusz Jurczyk, an engineer with Google's Project Zero team, in March 2016, along with other issues in the user-mode Windows GDI library (gdi32.dll). Microsoft attempted to resolve the bug with its June 2016 patches but failed to do so, and the researcher filed another report in November 2016.

As per Google’s Project Zero’s policy, vendors have 90 days to resolve the disclosed vulnerabilities before they are made public, and this policy applied to the Windows GDI flaw as well. However, because Microsoft didn’t release a monthly set of security updates in February, but pushed the patches to March, the vulnerability wasn’t resolved within the 90 days window.

Tracked as CVE-2017-0038, the vulnerability is related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records. The security researcher who discovered it was able to reproduce the vulnerability both locally (in Internet Explorer) and remotely (in Office Online, using a DOCX file containing a specially crafted EMF file).

Although Microsoft hasn’t released a fix for the issue yet, Luka Treiber with the 0patch Team devised a temporary fix for the issue. For that, the researcher worked with the proof of concept that Google’s Jurczyk published, and says that the issue was visible each time the specially crafted EMF file was loaded in Internet Explorer 11.

“CVE-2017-0038 is a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels provided by that file. If image dimensions are large enough the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed,” Treiber explains.

By leveraging this vulnerability, an attacker could steal sensitive data that an application holds in memory, but could also abuse it in other attacks, where they need to defeat Address space layout randomization (ASLR).

The fix for the flaw, the security researcher explains, needs to include a check that cbBitsSrc (the size of source bitmap bits) is smaller than cxSrc * cySrc * 4 (width of the source rectangle, in logical units * height of the source rectangle, in logical units * number of bytes representing each pixel). The researcher notes that he first focused on finding the right location for the patch, before writing it, so that he could write as little code as possible.

The temporary fix for the zero-day Windows GDI issue should be already available on machines with 0patch Agent installed, because they already have patches ZP-258 through ZP-264, the researcher says. Moreover, he notes that Microsoft’s patch for this will replace this fix.

“Note that when Microsoft’s update fixes this issue, it will replace the vulnerable gdi32.dll and our patch will automatically stop getting applied as it is strictly tied to the vulnerable version of the DLL. We have deployed this patch for the following platforms: Wind ows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit,” the researcher says.

It should also be noted that security vendors have already updated their products to keep them safe from potential attacks attempting to abuse this vulnerability.

Related: Windows SMB 0-Day Risk Downplayed

Related: Google Discloses Unpatched Windows GDI Vulnerability

Related: Microsoft Postpones February Security Updates to March 14

view counter