Google’s Project Zero has unearthed a bug in Windows, and as Microsoft failed to patch it within 90 days of being notified, details of the flaw have been made public.
The vulnerability in question is in the gdi32.dll file that is used by a significant number of programs. It is affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, which are yet to be patched.
Google gives company 90 days after disclosure of vulnerabilities to fix the issue. However, if the time elapses without a patch that is made available to the public, the vulnerability is then disclosed to the public so that users can protect themselves by taking necessary steps.
In a post, Google’s Mateusz Jurczyk explains how the bug works. The post — entitled “Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure in EMR_SETDIBITSTODEVICE and possibly other records” — says that Microsoft issued a patch that fixed a related issue, but not all the memory access issues were addressed.
As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we’ve discovered that not all the DIB-related problems are gone. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.
Jurczyk informed Microsoft about the bug on 16 November, giving the Windows-maker 90 days to get things sorted before going public. With this month’s batch of security patches from Microsoft being delayed, the company missed the deadline, so the details of the bug are now available for everyone to see.