Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com)

Posted by EditorDavid on from the presents-from-Project-Zero dept.

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

8 of 122 comments (clear)

  1. Control vs. Security by ZP-Blight · · Score: 4, Insightful

    This is what happens when control overtakes security as a priority.

    --
    Zoom Player Lead Dev.
    1. Re: Control vs. Security by Anonymous Coward · · Score: 3, Insightful

      10 months isn't long enough to fix something?
      Specially something Microsoft supposedly fixed 8 months ago?

  2. Wrong Headline by Anonymous Coward · · Score: 5, Insightful

    Shouldn't the headline be "Microsoft fails to fix exploit for months"?

  3. Disappointing? by danhuby · · Score: 5, Insightful

    > Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

    I would describe Microsoft's ability to patch these bugs within a reasonable timeframe as "disappointing".

  4. Poor spin on what actually happened by Anonymous Coward · · Score: 3, Insightful

    This is a pretty disappointing spin on what sounds like actually happened.

    So... March 2016 they found it and suggested a fix. The June patch by Microsoft was insufficient, so they told them (again) in November 2016 they need to fix it. Microsoft had an additional 90 days to patch the bug (which is pretty standard practice in the industry), and didn't fix a YEAR OLD bug

    What was Microsoft expecting here? I would expect the same to happen to Google, Apple, or any other big company if it took them that long to fix a bug that's been known for that long.

  5. Re: Microsoft deserved it by chaboud · · Score: 5, Insightful

    Which is why a 90 day disclosure to public announcement deadline is a reasonable measure. If a bug can be discovered by a nice engineer, it can also be discovered and exploited by a malicious one.

    People being mad about this announcement would be akin to people being angry about leaks from Trump's administration rather than the malfeasance uncovered, which would be, you know... Ludicrous.

    Or Snowden, etc...

  6. Re:Microsoft deserved it by Anonymous Coward · · Score: 2, Insightful

    Because Google does such a great job ensuring the same for their Android users. /sarcasm

    If patches can't make it to end users, they're just as culpable. They created their situation.

  7. 'Disappointing', eh? by fuzzyfuzzyfungus · · Score: 4, Insightful

    So, yet another exploit in GDI; an initial attempt at a fix that didn't actually work; a second attempt that was delayed a month(along with a reasonably juicy SMB issue; and probably some other stuff); and the disclosure is the 'disappointing' part? How eminently plausible.