Google Discloses Another Unpatched Windows Bug

Google has published proof-of-concept exploit code for an unpatched security flaw in Windows – the second time it has done so in the past three months.

The search company’s advisory coincides with Microsoft’s decision to delay its regular monthly batch of security fixes for February until next month, meaning users have no immediate way of protecting themselves against an attack using the bug.

Memory disclosure

The bug affects the the Windows Graphics Device Interface (GDI), a library that allows aplications to display graphics and formatted text on a video output or a local printer.

It’s part of a group of bugs originally reported last March, where Google engineer Mateusz Jurczyk reported that various Windows components handling the Enhanced Metafile (EMF) image format could be exploited to disclose the contents of the system’s memory, which could either release sensitive data or facilitate other types of attacks.

Those bugs were addressed in a patch last June, but in the new advisory Jurczyk said not all of the issues with the user-mode Windows GDI library were fixed.

“It is possible to disclose uninitialised or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” he wrote. “I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.”

The bug was reported in November with a 90-day disclosure deadline timed to expire on 14 February, the date of Microsoft’s cancelled patch bundle. It was automatically published when the deadline passed.

‘Disappointing’ disclosure

Microsoft didn’t specify whether a fix was included in the cancelled update, and did not immediately respond to a request for comment. The company said it delayed the update due to a “last minute issue that could impact some customers”.

A fix may be delivered in March or sooner, if Microsoft opts to release an out-of-cycle patch. In the meantime Google didn’t provide any mitigations, other than advising Microsoft to audit the components handling EMF files to ensure they work properly.

In November Microsoft found itself in a similar situation when Google published the details of an unpatched security-bypass bug. In that case Google made details of the flaw public only seven days after discovering it because it was being actively exploited by hackers.

Microsoft warned Russian government-linked hackers were behind the attacks exploiting the flaw and criticised Google’s disclosure, saying it was “disappointing” and put users at risk.

The bug was fixed on the following Patch Tuesday, several days later.

Google’s Project Zero is intended to hunt down unpatched flaws and has attracted industry criticism for its policy of releasing the details of the bugs on a set schedule, whether they have been fixed or not.

The policy is intended to put pressure on vendors to patch quickly, Google has said.

Do you know all about security? Try our quiz!