Microsoft’s zero day vulnerability exposed by Google’s Project Zero security researchers in public
Google’s Project Zero has exposed a vulnerability found in Windows 10, as Microsoft failed to release a patch in time. The vulnerability in question is in the gdi32.dll file that is used by a significant amount of programs. It is affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, which are yet to be patched.
For those unfamiliar, Project Zero (Google), is a team of security analysts employed by Google to find zero-day exploits in the hope that they can find them before they are exploited by malicious people. Google gives company 90 days after disclosure of vulnerabilities to fix the issue. However, if the time period elapses without a patch that is made available to the public, the vulnerability is then disclosed to the public so that users can protect themselves by taking necessary steps.
Google’s Project Zero member Mateusz Jurczyk responsibly reported a vulnerability in Windows’ Graphics Device Interface (GDI) library to Microsoft Security Team on June 9, 2016. He described methods back then that would allow attackers to steal information from memory and affects any program that uses this library. The issue was that records failed to perform comprehensive sanitization.
Microsoft released the security bulletin MS16-074 on June 15, 2016, which fixed issues in the Windows Graphics Component (gdi32.dll) among other things.
“We’ve discovered that not all of the DIB-related problems are gone,” he said. “As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” he explains.
However, it appears that Microsoft did not fix all the bugs in the GDI library and the researcher once again reported it to the company with a proof of concept on November 16, 2016.
As Microsoft failed to release a patch within 90 days after the submission of the report, the details of the vulnerability were made available to the public, which also includes attackers.
While Microsoft is yet to comment on the now-public report of the exploit, there is no reason for the users to panic as hackers will require physical access to the host machine to exploit the vulnerability. Recently, on February 14, 2016, Microsoft delayed its this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates.”
You can read the full report here.