Google Goes Public with Unpatched Windows Vulnerability

[tao]

Windows flaw disclosed as part of Google Project Zero

Windows users are once again exposed to attacks, as a Google Project Zero engineer has disclosed an unpatched vulnerability in the operating system.

 

Google Project Zero member Mateusz Jurczyk discovered a vulnerability in gdi32.dll which allows attackers to compromise Windows systems, and according to his blog post, this flaw was first reported to the software giant in March 2016.

 

Microsoft acknowledged the vulnerability and attempted to patch it with  MS16-074 released in June 2016, but as Jurczyk puts it, only part of the problem was actually fixed.

 

“We've discovered that not all of the DIB-related problems are gone,” he said. “As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” he explains for the more tech-savvy users.

 

Microsoft patch not fixing the issue

Jurczyk reached out to Microsoft once again to report the vulnerability on November 16, 2016, but given the fact that the company didn’t release a new patch, he decided to make it public as per the Google Project Zero disclosure policy. As part of this program, vendors have 90 days to fix security issues after the first notification is submitted, and should they fail to patch them, details are then made public.

 

Microsoft hasn’t yet commented on this new disclosure, but the company’s next patching takes place on March 14, as this month’s Patch Tuesday rollout has already been delayed. This means that users remain vulnerable to attacks at least until next month, if a fix for this vulnerability is indeed included in the patching cycle. It’s not known if a patch for this bug was included in the February 2017 Patch Tuesday.

 

On the good side, exploiting this security flaw involves deploying a specially crafted EMF file on a vulnerable machine and this can only be done with direct access to the computer. It goes without saying that users should stay away from such files coming from sources they cannot trust at least until a patch is delivered.

 

Previous Windows vulnerability disclosures

This isn’t the first time Google goes public with an unpatched security flaw, as a similar disclosure took place in November 2016, when the company published details of a Windows security flaw allowing cybercriminals to gain administrator privileges on vulnerable systems.

 

At that time, Microsoft criticized Google for disclosing the security bug, explaining that the search giant put all windows users “at increased risk.”

 

“We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure.

 

Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Windows boss Terry Myerson said at that point.

 

We’ve reached out to Microsoft to ask for more information on this new bug and we’ll update the article when an answer is provided.

 

Ref:  < http://news.softpedia.com/news/google-goes-public-with-unpatched-windows-vulnerability-users-again-exposed-513063.shtml >

 

 

[David]

microsoft worried about the new features something has to fail

[straycat19]

3 hours ago, adi said:

 

Windows flaw disclosed as part of Google Project Zero

 

 

There are a hundred more flaws that haven't been exposed that are being held for zero day exploits.  The least secure operating system on the planet is windows and out of all the iterations windows 10 is the absolute worst. The fact that Microshit can't even get their patches working and released on time doesn't inspire confidence in their ability to secure the system.  Also the fact that they are physically coding windows so that users can't control some aspects of the OS to make their systems more secure makes the use of Windows 10 untenable.  The 'Latest and Greatest' is actually the "Latest and Worst" and not something anyone who is interested in absolute security of their systems should run.

[tao]

6 minutes ago, straycat19 said:

There are a hundred more flaws that haven't been exposed that are being held for zero day exploits.  The least secure operating system on the planet is windows and out of all the iterations windows 10 is the absolute worst. The fact that Microshit can't even get their patches working and released on time doesn't inspire confidence in their ability to secure the system.  Also the fact that they are physically coding windows so that users can't control some aspects of the OS to make their systems more secure makes the use of Windows 10 untenable.  The 'Latest and Greatest' is actually the "Latest and Worst" and not something anyone who is interested in absolute security of their systems should run.

In jest: 

 

How would anyone know how many flaws exist if they haven't been exposed yet?

So many brilliant minds at Microsoft (US) are working so very hard to produce the worst Windows so far?

Millions are using the "Latest and Worst" because they are not interested in security?

(What is absolute security?)

 

It all may be true (possible) but it doesn't seem true (probable), eh?  No? 

 

Again, only in jest. 

[jtmulc]

16 hours ago, adi said:

 

At that time, Microsoft criticized Google for disclosing the security bug, explaining that the search giant put all windows users “at increased risk.”

 

Maybe if they got on the ball and patched their products in a timely manner users wouldn't be "at increased risk".

[tao]

7 hours ago, jtmulc said:

Maybe if they got on the ball and patched their products in a timely manner users wouldn't be "at increased risk".

(I am sure) they are trying (without malice) their best; but their best may not be best enough for many; and many may suffer as a result.  

 

What human system is perfect?  Chasing it -- an impossible goal -- causes more pain, eh?  No?

[steven36]

They had almost a year to patch  this and the law gives them 3 months   why does  it seem the news is very Déjà vu  ?  It's nothing new Google  reporting Microsoft  in fact 2 year ago this same news was out.

 

A blast from the past Microsoft blasts Google for baring Windows bugs before they're patched

http://www.computerworld.com/article/2867564/microsoft-blasts-google-for-baring-windows-bugs-before-theyre-patched.html

Google  are a bunch of hypocrites though they leave people on Android exposed while wasting there money on researching windows  and Apple OS ..Please fix you're own OS before you cry wolf on others OS !!!

 

Google Discloses Security Vulnerabilities in OS X—While Leaving a Billion Android Users Exposed

https://www.intego.com/mac-security-blog/google-discloses-security-vulnerabilities-in-osx-android-users-exposed/

 

Android  has what flaws that's been found in the Linux Kernel witch gets patched very fast on Linux  but very slow in Android but most of there malware comes from Googles own stores

http://thehackernews.com/2017/01/hummingbad-android-malware.html

 

[tao]

24 minutes ago, steven36 said:

... Google  are a bunch of hypocrites though they leave people on Android exposed while wasting there money on researching windows  and Apple OS ..Please fix you're own OS before you cry wolf on others OS !!!

With headline such as "G..gle Fixes 51 Vulnerabilities With Release of Ch..me 41" (as an example) with every release of Ch..me, why not build a better -- secure -- browser?

 

Do all browsers have so many [security] vulnerabilities?

 

Please comment (elucidate).  Thanks. Regards. 

[steven36]

All browsers have  security vulnerabilities but Google are the only ones that pay millions of dollars to hackers a year to find exploits in there browser .. Then the next day you read how people were exploited using chrome  . Once  a exploit  is known  it's no longer a 0 day and  by the time patched in 3 months to a year Blackhats have wrote new ones its a false sense of security a viscous  cycle that never stops.  I dont rely on a vendor to patch my browser i harden my own browser against leaks because a lot of the bloat they put in browsers have caused holes in them. 

 

Google and Firefox  are both guilty of  this they remove useful features while adding non useful ones and crippling it's ability to useful too  power users and if you buy into the hype  that they actuality ever fix security vulnerabilities you will update . So they got you by the balls in the name of  security.  Then a few weeks latter they remove more useful features than they claim they patch more holes,  month after mouth, year after year   Before there done with browsers i will need Linux  were devs can make a chrome wrapper to bypass there restrictions . 

 

 

Data Breaches Increased 40 Percent in 2016 if patching holes were doing any good at all they would decrease not rise so i dont buy into the  hype this means hackers were 40% faster than vendors in 2016 just to break even to were they was in 2015  ..

 

 

 

When it comes too Data Breaches online banking  , personal info etc. there's a lot of factors were putting a band aid on software has failed us time and time again.

 

 

[humble3d]

There are thousands of ways to compromise computers in the 21st Century...

We will never see truly secure systems in our life time...

But, perhaps our posterity will see them...hopefully...