Google discloses another unpatched Windows vulnerability

Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016.

The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however.

Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. He described methods back then that would allow attackers to exploit an issue in the dynamic link library. The issue was that records failed to perform exhaustive sanitization.

Microsoft released the security bulletin MS16-074 in June 2016 which fixed issues in the Windows Graphics Component (gdi32.dll) among other things.

Turns out, Microsoft did not do a good enough job in resolving the issues described on Google's Project Zero website.

Jurczyk checked the updated version of gdi32.dll again to see if the patching was successful, or if vulnerabilities would still exist.

Turns out, the patching was not sufficient. He notes in the new report that MS16-074 did fix some of the bugs, but not all of them.

However, we've discovered that not all of the DIB-related problems are gone.

[..]

As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.

Google gives companies 90 days after disclosure of vulnerabilities to fix the issue. If the time period elapses without a patch that is made available to the public, the vulnerability is disclosed to the public.

Jurczyk reported the issue to Microsoft on November 16, 2016. Microsoft did not release a patch in time, which is why the system revealed the issue and the example exploit code.

Good news for Windows users is that the issue should not be of major concern as it requires access to the machine to exploit the issue. Woody notes that an attacker would have to log on to the machine to execute a specially prepared EMF file to exploit the issue.

Still, this is another unpatched Windows vulnerability after the zero-day SMB vulnerability that came to light in the beginning of February 2017. You need to add the unpatched Flash Player in Edge to that as well.

It is possible that Microsoft had plans to release a security update for the reported vulnerability on the February 2017 Patch day. But that patch day did not happen, as Microsoft announced the postponing of the patch day to March.

We don't know whether Microsoft has a patch for the issue in the pipeline that would have made Google's deadline, or if a SMB vulnerability patch would have been made available in February.

Microsoft has yet to reveal why it postponed the patch day a whole month.