Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Temporary Fix Available for Windows GDI Vulnerability

A temporary fix is available for the Windows Graphics Device Interface (Windows GDI) vulnerability that was disclosed a couple of weeks ago.

A temporary fix is available for the Windows Graphics Device Interface (Windows GDI) vulnerability that was disclosed a couple of weeks ago.

The flaw was initially discovered by Mateusz Jurczyk, an engineer with Google’s Project Zero team, in March 2016, along with other issues in the user-mode Windows GDI library (gdi32.dll). Microsoft attempted to resolve the bug with its June 2016 patches but failed to do so, and the researcher filed another report in November 2016.

As per Google’s Project Zero’s policy, vendors have 90 days to resolve the disclosed vulnerabilities before they are made public, and this policy applied to the Windows GDI flaw as well. However, because Microsoft didn’t release a monthly set of security updates in February, but pushed the patches to March, the vulnerability wasn’t resolved within the 90 days window.

Tracked as CVE-2017-0038, the vulnerability is related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records. The security researcher who discovered it was able to reproduce the vulnerability both locally (in Internet Explorer) and remotely (in Office Online, using a DOCX file containing a specially crafted EMF file).

Although Microsoft hasn’t released a fix for the issue yet, Luka Treiber with the 0patch Team devised a temporary fix for the issue. For that, the researcher worked with the proof of concept that Google’s Jurczyk published, and says that the issue was visible each time the specially crafted EMF file was loaded in Internet Explorer 11.

“CVE-2017-0038 is a bug in EMF image format parsing logic that does not adequately check image dimensions specified in the image file being parsed against the amount of pixels provided by that file. If image dimensions are large enough the parser is tricked into reading memory contents beyond the memory-mapped EMF file being parsed,” Treiber explains.

By leveraging this vulnerability, an attacker could steal sensitive data that an application holds in memory, but could also abuse it in other attacks, where they need to defeat Address space layout randomization (ASLR).

Advertisement. Scroll to continue reading.

The fix for the flaw, the security researcher explains, needs to include a check that cbBitsSrc (the size of source bitmap bits) is smaller than cxSrc * cySrc * 4 (width of the source rectangle, in logical units * height of the source rectangle, in logical units * number of bytes representing each pixel). The researcher notes that he first focused on finding the right location for the patch, before writing it, so that he could write as little code as possible.

The temporary fix for the zero-day Windows GDI issue should be already available on machines with 0patch Agent installed, because they already have patches ZP-258 through ZP-264, the researcher says. Moreover, he notes that Microsoft’s patch for this will replace this fix.

“Note that when Microsoft’s update fixes this issue, it will replace the vulnerable gdi32.dll and our patch will automatically stop getting applied as it is strictly tied to the vulnerable version of the DLL. We have deployed this patch for the following platforms: Wind ows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit,” the researcher says.

It should also be noted that security vendors have already updated their products to keep them safe from potential attacks attempting to abuse this vulnerability.

Related: Windows SMB 0-Day Risk Downplayed

Related: Google Discloses Unpatched Windows GDI Vulnerability

Related: Microsoft Postpones February Security Updates to March 14

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.