Security experts at the Google Project Zero group have publicly disclosed a vulnerability affecting Microsoft’s Windows OS.
It has happened again, the hackers at Google Project Zero have publicly disclosed a vulnerability affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, that had yet to be patched by the IT giant.
The experts also published a proof-of-concept exploit code.
In October, the experts at the Google Project Zero publicly disclosed a critical Windows zero-day vulnerability ten days after reporting it to Microsoft.
According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.
Back to the present, the experts at Project Zero publicly disclosed the flaw in Windows OS because Microsoft failed to patch it within the 90-day window given by the Google.
The flaw affected the Windows’ Graphics Device Interface (GDI) library, the Google’s Project Zero member Mateusz Jurczyk reported it to the Microsoft Security Team on the 9th of June last year.
The impact of the vulnerability is serious, it affects any application that uses this GDI library. An attacker can exploit the vulnerability to steal sensitive data from the memory of the vulnerable system.
As explained before, Microsoft failed to address the flaw in the GDI library with a patch released on 15th June. The security updates did not solve all the issues in the Windows library, for this reason, the Project Zero experts report it to Microsoft with a proof-of-concept on 16th of November.
“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” states Jurczyk in the second report.
Three months have passed, but Microsoft failed to solve the vulnerability so Google security experts released the details of the flaw to the public.
This implies that threat actors in the wild now can exploit the flaw in targeted attacks.
The good news, in this case, is that an attacker needs a physical access to the target machine to exploit the vulnerability.
Recently Microsoft delayed this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.
Experts believe that the flaw in the GDI library will remain unsolved for almost a month, this means that attackers in the wild may exploit it.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.