Security researchers at Google’s Project Zero have now reported and exposed a Windows 10 vulnerability that Microsoft has obviously failed to patch on time…
Project Zero, as we know, refers to the team of security experts and analysts who work on detecting and analyzing zero-day vulnerabilities for Google. Mateusz Jurczyk, who is a member of this Zero Day vulnerability-detecting team, has exposed a Microsoft vulnerability, a zero-day vulnerability that lies in the gdi32.dll file in the Windows operating system. The vulnerability was first reported to Microsoft in March 2016. Microsoft had acknowledged the vulnerability and had even attempted to patching the software with the MS16-074 security update, which was released in June 2016. Mateusz Jurczyk points out that only part of the problem was fixed.
In the words of Mateusz Jurczyk- “As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we’ve discovered that not all of the DIB-related problems are gone. For instance, the implementation of EMR_SETDIBITSTODEVICE (residing in the MRSETDIBITSTODEVICE::bPlay function) still doesn’t enforce condition #3. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.”
As is known, when Project Zero finds a zero-day vulnerability, it’s immediately reported to the software manufacturer and the bug report will be subject to a 90-day disclosure deadline. If the issue isn’t fixed in 90 days, the bug report automatically becomes visible to the public.
Microsoft is yet to comment on it and hence there is no clear idea as to when a fix would come for the issue. Let’s hope this security hole will be plugged soon and that there won’t be even a single zero-day attack happening making use of this vulnerability…
Well, as a postscript, we’d like to add that it’s always better to be prepared to block or prevent zero-day attacks, or for that matter any kind of malware attack. It’s always good to be armed with antivirus and other security software plus the best of security technologies, like for example the containerization technology.
What is Zero Day Malware?