Microsoft failed to patch a flaw in GDI library, Google released a PoC exploit

Security experts at the Google Project Zero group have publicly disclosed a vulnerability affecting Microsoft’s Windows OS.

It has happened again, the hackers at Google Project Zero have publicly disclosed a vulnerability affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, that had yet to be patched by the IT giant.

The experts also published a proof-of-concept exploit code.
In October, the experts at the Google Project Zero publicly disclosed a critical Windows zero-day vulnerability ten days after reporting it to Microsoft.

According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.

According to Google disclosure timeline for vulnerability, when a flaw is exploited in the wild Google public disclosed the flaw after seven days.

Back to the present, the experts at Project Zero publicly disclosed the flaw in Windows OS because Microsoft failed to patch it within the 90-day window given by the Google.

The flaw affected the Windows’ Graphics Device Interface (GDI) library, the Google’s Project Zero member Mateusz Jurczyk reported it to the Microsoft Security Team on the 9th of June last year.

The impact of the vulnerability is serious, it affects any application that uses this GDI library. An attacker can exploit the vulnerability to steal sensitive data from the memory of the vulnerable system.

As explained before, Microsoft failed to address the flaw in the GDI library with a patch released on 15th June. The security updates did not solve all the issues in the Windows library, for this reason, the Project Zero experts report it to Microsoft with a proof-of-concept on 16th of November.

“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” states Jurczyk in the second report.

Three months have passed, but Microsoft failed to solve the vulnerability so Google security experts released the details of the flaw to the public.

This implies that threat actors in the wild now can exploit the flaw in targeted attacks.

The good news, in this case, is that an attacker needs a physical access to the target machine to exploit the vulnerability.

Recently Microsoft delayed this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.