Google has proven it has no mercy when it comes to disclosing vulnerabilities that remain unpatched after its 90-day policy has passed -- and a new Wi
Google has proven it has no mercy when it comes to disclosing vulnerabilities that remain unpatched after its 90-day policy has passed — and a new Windows vulnerability is no exception.
Mateusz Jurczyk, a security researcher based in Poland and member of Google’s Project Zero team, found multiple Windows vulnerabilities in Microsoft’s Graphics Device Interface (GDI) library. According to Jurczyk, some of the issues were fixed as part of Microsoft’s June 2016 Patch Tuesday release (MS16-074) but not all. As part of a post on Nov. 16, 2016, Jurczyk said he disclosed the vulnerability to Microsoft.
Project Zero has a strict 90-day disclosure deadline after which it will release the details of the bugs it finds, regardless of whether there is a patch or not — a practice which has burned Microsoft in the past. This time, a proof-of-concept exploit of the Windows vulnerability became publicly visible once the 90-day deadline passed.
Jurczyk describes an exploit that reads memory contents where a malicious image file would force pixels to be “drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space. I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.”
Craig Young, security researcher at Tripwire, told SearchSecurity this Windows vulnerability alone wasn’t too dangerous, but “could give an attacker a way to exploit a difficult to exploit code execution bug.”
“Usually this type of vulnerability is essentially a primitive tool useful only as a step in a larger exploit chain containing more serious code execution flaws. In this specific instance however, an attacker could theoretically use crafted image files within web content in such a way that the attacker could read data on the user’s PC that they should not have access to,” Young said. “Fortunately there is no indication that an attacker intentionally read specific data but rather is limited to random heap memory contents likely adjacent to where the malicious graphic was constructed.”
The vulnerability disclosure comes less than one week after Microsoft surprised customers by cancelling February’s Patch Tuesday release without giving a clear reason. It is unknown if the patch for this Windows vulnerability would have been part of the Patch Tuesday release.
Microsoft did not respond to questions about the Windows vulnerability but pointed to an official statement about Patch Tuesday being cancelled, which attributed “a last minute issue that could impact some customers” as the reason for the delay.
Even without a patch, though, Young said “network administrators should not lose sleep over this bug.”
“The details released should allow security vendors to recognize exploitation attempts of this flaw,” Young said. “As usual, browsing and opening only trusted content is very important. For web browsing, the use of HTTPS can also help by ensuring that content from a trusted site is not altered by a malicious actor.”
Powered by WPeMatico