Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com)

Posted by EditorDavid on from the presents-from-Project-Zero dept.

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

5 of 122 comments (clear)

  1. Wrong Headline by Anonymous Coward · · Score: 5, Insightful

    Shouldn't the headline be "Microsoft fails to fix exploit for months"?

  2. Microsoft deserved it by bongey · · Score: 5, Informative

    The bug was actively being used to exploit windows. Letting people know there is active exploit is more important than bad PR for Microsoft.

    1. Re: Microsoft deserved it by chaboud · · Score: 5, Insightful

      Which is why a 90 day disclosure to public announcement deadline is a reasonable measure. If a bug can be discovered by a nice engineer, it can also be discovered and exploited by a malicious one.

      People being mad about this announcement would be akin to people being angry about leaks from Trump's administration rather than the malfeasance uncovered, which would be, you know... Ludicrous.

      Or Snowden, etc...

  3. Disappointing? by danhuby · · Score: 5, Insightful

    > Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

    I would describe Microsoft's ability to patch these bugs within a reasonable timeframe as "disappointing".

  4. Re:LibreOffice? by fuzzyfuzzyfungus · · Score: 5, Informative

    You can definitely embed Windows Metafile images in LibreOffice on Windows; but I'm not entirely sure if that is enough to make it vulnerable. WMF is dangerous because it is basically a package of GDI function calls, which might be good for efficiency or compactness; but has led to a number of creative and executable things being shoehorned in(as in this case; and repeatedly over the years).

    However, there are several image handling libraries that can render or convert WMF images without access to GDI; so in those cases GDI bugs wouldn't be a problem(though you probably have other things to worry about).

    This Libreoffice VCL documentation suggests that LibreOffice uses its own VCL WMF filters; but I sure wouldn't bet anything remotely important on that without testing it first; or knowing rather more about how LibreOffice is put together.