Google’s Project Zero has again revealed a Windows bug before Microsoft fixed it.
Project Zero operates under a “once we tell you about a bug you have 90 days to fix it or the kitten gets it or we reveal it to the world” policy.
On this occasion, the bug allows attackers to access memory using EMF metafiles, a tool implemented in the Windows Graphics Component GDI library (gdi32.dll) and which helps applications to use graphics. And once an attacker is in memory, things can get interesting.
Mateusz Jurczyk, the Google chap who found the bug and others like it in the past, writes that Redmond fixed similar messes he reported last year. But he also alleges that the fix for those flaws, MS16-074, didn’t completely address issues that allow access to memory. So he told Microsoft about the issue on November 16th, 2016, and waited. And waited. And waited until last week’s we-don’t-call-it-patch-Tuesday-anymore came and went because Microsoft needed more time to get a new patch dump just right.
At which point the 90-day policy kicked in and Google pulled the trigger, revealing the flaw to the world.
Microsoft doesn’t like it when this happens: back in November 2016 the company all-but-accused Google of giving criminals a helping hand by revealing a bug, while also saying the flaw in question wasn’t all that scary anyway.
The Register is yet to detect a response from Microsoft on this releases. If we do … you know the drill [We’ll either update this story and/or write a new one – Ed]. ®
Source: SANS ISC SecNewsFeed @ February 19, 2017 at 05:57PM