Google Discloses Windows Vulnerability That Microsoft Fails To Patch, Again!

Microsoft is once again facing embarrassment for not patching a vulnerability on time.

Yes, Google’s Project Zero team has once again publicly disclosed a zero-day vulnerability affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.

A few months back, the search engine giant

disclosed a critical Windows vulnerability

to the public just ten days after revealing the flaw to Microsoft.

However, this time Google revealed the vulnerability in Windows to the public after Microsoft failed to patch it within the 90-day window given by the company.

Google’s Project Zero member Mateusz Jurczyk responsibly

reported a vulnerability

in Windows’ Graphics Device Interface (GDI) library to Microsoft Security Team on the 9th of June last year.

The vulnerability affects any program that uses this library, and if exploited, could potentially allow hackers to steal information from memory.

While Microsoft

released a patch

for the vulnerability on 15th June, the company did not fix all the issues in the GDI library, forcing the Project Zero researcher to once again report it to Microsoft with a proof-of-concept on 16th of November.

“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” Jurczyk notes in the new report.

Now, after giving the three-month grace period to the company, Google released the details of the vulnerability to the public, including hackers and malicious actors.

Google Project Zero

team routinely finds security holes in different software and calls on the affected software vendors to publicly disclose and patch bugs within 90 days of discovering them. If not, the company automatically makes the flaw along with its details public.

Although Windows users need not panic, as hackers will require physical access to the host machine to exploit the vulnerability, the Redmond giant will have to release an emergency patch before sophisticated exploits are developed.

Microsoft recently

delayed its this month’s Patch Tuesday

by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.

So, if there is no expected emergency patch this month, this newly disclosed vulnerability will be left open for hackers for almost a month to exploit — just like we saw last time when

Russian hackers actively exploited

then-unpatched Windows kernel bug in the wild — which could put Windows users at potential risk.

Source: THN : The Hacker News @ February 18, 2017 at 09:14AM