Sunday February 19, 2017

Google Discloses Another Unpatched Windows Vulnerability

Google’s Project Zero team has disclosed a vulnerability concerning the Windows GDI (Graphics Device Interface) (gdi32.dll) that allows an attacker to use EMF files to read the content of a user’s memory. The issue was originally reported back in November 16 but was never patched properly, so its details are now out in the wild. If Microsoft didn’t botch their security update this month, this may have been avoided, assuming the fix was part of that package. Another exploit that still needs to be addressed is the malicious SMB one that was unveiled a couple of weeks ago.

News Image

Google gives companies 90 days after disclosure of vulnerabilities to fix the issue. If the time period elapses without a patch that is made available to the public, the vulnerability is disclosed to the public. Jurczyk reported the issue to Microsoft on November 16, 2016. Microsoft did not release a patch in time, which is why the system revealed the issue and the example exploit code. Good news for Windows users is that the issue should not be of major concern as it requires access to the machine to exploit the issue. Woody notes that an attacker would have to log on to the machine to execute a specially prepared EMF file to exploit the issue.