Google discloses another unpatched Microsoft vulnerability

Google has been actively finding new security vulnerabilities in Microsoft’s products through its Project Zero research wing. The company has now disclosed an issue with Windows, which Microsoft hasn’t patched within the 90-day window given by Google after reporting it to the Redmond giant.

Google’s Project Zero member Mateusz Jurczyk responsibly reported a vulnerability in Windows’ Graphics Device Interface (GDI) library to Microsoft Security Team on the 9th of June last year.

The vulnerability affects any program that uses this library, and if exploited, could potentially allow hackers to steal information from memory.

While Microsoft released a patch for the vulnerability on 15th June, the company did not fix all the issues in the GDI library, forcing the Project Zero researcher to once again report it to Microsoft with a proof-of-concept on 16th of November.

Now, after giving the three-month grace period to the company, Google released the details of the vulnerability to the public, including hackers and malicious actors.

Windows users need not panic, as it requires access to the machine to exploit the issue.It is said that an attacker would have to log on to the machine to execute a specially prepared EMF file to exploit the issue.

Still, this is another unpatched Windows vulnerability after the zero-day SMB vulnerability that came to light in the beginning of February 2017. You need to add the unpatched Flash Player in Edge to that as well.

It is possible that Microsoft had plans to release a security update for the reported vulnerability on the February 2017 Patch day. But that patch day did not happen, as Microsoft announced the postponing of the patch day to March.

We don’t know whether Microsoft has a patch for the issue in the pipeline that would have made Google’s deadline, or if a SMB vulnerability patch would have been made available in February.

Microsoft has yet to reveal why it postponed the patch day a whole month.

Share This: