Google Exposes Vulnerability on Windows That Microsoft Has Failed To Patch
Yes, Google’s Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
A few months back, the search engine giant disclosed a critical Windows vulnerability to the public just ten days after revealing the flaw to Microsoft.
However, this time Google revealed the vulnerability in Windows to the public after Microsoft failed to patch it within the 90-day window given by the company.
Google’s Project Zero member Mateusz Jurczyk responsibly reported a vulnerability in Windows’ Graphics Device Interface (GDI) library to Microsoft Security Team on the 9th of June last year.
The vulnerability affects any program that uses this library, and if exploited, could potentially allow hackers to steal information from memory.
While Microsoft released a patch for the vulnerability on 15th June, the company did not fix all the issues in the GDI library, forcing the Project Zero researcher to once again report it to Microsoft with a proof-of-concept on 16th of November.
“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” Jurczyk notes in the new report.Now, after giving the three-month grace period to the company, Google released the details of the vulnerability to the public, including hackers and malicious actors.
Source | 2020techblog