It has happened again, for the second time in a few months, the hackers at Google Project Zero have publicly disclosed a vulnerability affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, that had yet to be patched by the IT giant.

The good news for attackers and hackers is that the Google experts also published a proof-of-concept exploit code.

Project Zero researchers publicly disclosed the flaw in Windows OS because Microsoft failed to patch it within the 90-day window given by the Google.

The flaw affects the Windows’ Graphics Device Interface (GDI) library (gdi32.dll), the Google’s Project Zero member Mateusz Jurczyk reported it to the Microsoft Security Team on June 9, 2016.

The Windows GDI library enables applications to use graphics and formatted text on both the video display and a local printer.

The vulnerability, tracked as CVE-2017-0038, could be exploited by an attacker to read the content of the user’s memory using specifically crafted Enhanced MetaFile (EMF) files. The EMF file can be hidden in other documents making the bug very insidious.

“I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file,” Jurczyk explained.

The impact of the vulnerability is serious; it affects any application that uses this GDI library. An attacker can exploit the vulnerability to steal sensitive data from the memory of the vulnerable system.

According to the vulnerability report filed by the engineers at the Google’s Project Zero team, the flaw is part of a set of issues that was discovered in March 2016 and fixed in June 2016 with the release of the Microsoft security bulletin MS16-074.

Unfortunately, Microsoft failed to address the flaw in the GDI library with the patch released on 15th June 2016. The security updates did not solve all the issues in the Windows library, for this reason, the Project Zero experts report it to Microsoft with a proof-of-concept on 16th of November.

“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” states Jurczyk in the second report.

Three months have passed, but Microsoft failed to solve the vulnerability, so Google security experts released the details of the flaw to the public.

Mateusz Jurczyk, the Google hacker who discovered the bug highlighted that the MS16-074 patches were not sufficient to address the issue, this means that threat actors in the wild now can exploit the flaw in targeted attacks.

The good news, in this case, is that an attacker needs physical access to the target machine to exploit the vulnerability. The Google Project Zero team decided to disclose the vulnerability due to its conviction that Microsoft will not release security updates this month.

Recently Microsoft delayed this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.

Experts believe that the flaw in the GDI library will remain unsolved for almost a month, this means that attackers in the wild may exploit it in the next weeks.

Windows systems will remain vulnerable to cyber attacks until March 15th, when Microsoft plans to release both the February and March security updates.

Researchers at Google confirmed that there is no mitigation measure to protect vulnerable systems from attackers that exploit this bug.

A previous case

This is the second time Google decided to disclose a vulnerability before Microsoft had fixed the issue.

In November 2016, the experts at Google disclosed details about a zero-day exploited by the notorious cyber-espionage group known as APT28 a few days before Microsoft’s November Patch Tuesday.

The zero-day could be exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.

Google has chosen to public disclose the flaw just ten days after privately reporting it to Microsoft, giving the company a very little time to issue security updates.

Ethical Hacking Training – Resources (InfoSec)

According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.

According to Google disclosure timeline for vulnerability, when a flaw is exploited in the wild, its experts will public disclosed the issue after seven days.

“On Friday, October 21st, we reported 0-day vulnerabilities — previously publicly-unknown vulnerabilities — to Adobe and Microsoft. Adobe updated Flash on October 26th to address CVE-2016-7855; this update is available via Adobe’s updater and Chrome auto-update.” reads a blog post published by Google.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”

According to Google’s Neel Mehta and Billy Leonard, the Windows zero-day “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

Microsoft criticized the Google’s decision because the disclosure of a zero-day exploit potentially puts its customers at risk of cyber attacks.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

To disclose or to not disclose, that is the question

Many experts criticized the decision of Google of disclosing the vulnerabilities due to the failure in fixing them, especially when there is no possible mitigation.

Customers remain exposed to the attacks of threat actors that could leverage the exploit codes shared by the Project Zero team.

In the circumstances like this, cooperation between the two IT giants should represent the best option for the end-users, but evidently, this is a utopia.

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=757

https://technet.microsoft.com/library/security/MS16-074?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-fFdaFu28wiYRflZp0RBrgQ&tduid=(0e897dd59a821d366af8020c1a628d36)(256380)(2459594)(TnL5HPStwNw-fFdaFu28wiYRflZp0RBrgQ)()

http://securityaffairs.co/wordpress/56411/hacking/windows-gdi-library-flaw.html

http://securityaffairs.co/wordpress/52955/cyber-crime/windows-zero-day-kernel.html

https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html