Google Discloses An Unpatched Windows Bug (Again)

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

LibreOffice?

[TheOuterLinux]

It would be interesting to see if this security issue also affects LibreOffice on a Window$ system since it also opens docx files. Anyone know? I'm a Linux user (duh), but even I will admit to how much nicer M$ Office is. I like Apple's iWork stuff too, but having to save a document in a strictly Apple format to keep the cool stuff it'll do isn't work it vs. practicality. The day LibreOffice supports Google Drive out-of-the-box and has a mobile version, Office 365 doesn't have a chance. Also, something to note on Linux and LibreOffice, there are a whole bunch of command line cheats you can use with LibreOffice, so no GUI needed if you have enough patience. Type a doc with nano or pico and convert to a PDF with "soffice --headless --convert-to : file_to_convert.xxx" There's a lot more you can do with LibreOffice than you can M$ Office, but eye candy gets people every time.

Re:Wrong Headline

[Solandri]

TFA (which summary quotes) implies the fix was in the February update which Microsoft delayed. So the courteous thing to do would've been to extend disclosure beyond 90 days until after the March update.

OTOH, the entire reason Microsoft had to delay the February update was because they insisted on lumping all the patches into one huge mega-update. If they'd stuck with individual updates as before, then the crucial security patches would've gone out on time, while only the problem patch would've been delayed. So it's still Microsoft's fault.

So MS is still unable to patch within 90 days?

[gweihir]

Why are we are trusting these people to provide widely-used software, again?

A reasonable time-frame to patch security vulnerabilities is like 2...4 weeks. 90 days is already stretching it considerably and they still are too incompetent or uncaring to make that long deadline. Google is doing the right thing here. If incompetent and lazy vendors are not forced to fix security vulnerabilities, they will never do it. It is just utterly pathetic that we allow MS to be one of these worst offenders.

Re:'Disappointing', eh?

[gweihir]

MS needs to be either kicked hard until they get that they have a responsibility, or they need to be made completely obsolete. 90 days is plenty. I say we call not fixing reported security-bugs in 90 days gross negligence and make them per default liable for all hacks of their "OS" that happen afterwards until they patch and with no possibility to prevent that liability in the TOU.