Don't worry, slowpoke Microsoft, we patched Windows bug for you, brags security biz
You snooze, you lose
Video A computer security outfit claims to have plugged an information leak in Windows that was publicly revealed by Google before Microsoft had a patch ready. Could this third-party patching become a trend?
Last month, Google's Project Zero team disclosed details of a trivial vulnerability in the Windows user-mode GDI library: the programming blunder can be exploited by dodgy enhanced metafiles (EMFs) to siphon sensitive stuff from memory. This flaw can be potentially abused by hackers to extract data from an application's memory, or defeat ASLR to pave the way for reliable remote-code execution.
Google said it had given Microsoft 90 days to fix the issue and, as it hadn't, the Chocolate Factory went public with both the flaw and a proof-of-concept exploit. Now Slovenia-based Arcos Security says it's managed to produce a patch and has released it, via its 0patch tool, for those who want to give it a try.
"I have to kindly thank Mateusz Jurczyk of Google Project Zero for a terse and accurate report that allowed me to quickly grasp what the bug was about and jump onto patching it," said Luka Treiber from Arcos.
He explained that flaw lies within the GDI library's EMF image format parsing logic: it doesn't check the dimensions specified in an incoming image file against the actual pixel count, thus allowing the document to trick the code into reading more memory than it should. To fix this, he added a checking function into the code, and he says that the patch will work for 64-bit Windows 10, Windows 8.1, and Windows 7, and 32-bit Windows 7.
Here's a video of the patch catching an attempt to exploit the GDI bug.
"While not the most severe issue, I get shivers thinking that ... a malicious page could steal credentials to my online banking account or grab a photo of me after last night's party from my browser's memory," Treiber said.
Redmond skipped its February Patch Tuesday update after hitting problems with its software build and distribution systems. This GDI bug is expected to be addressed in the next monthly patch dump, due on March 15, but a fix isn't guaranteed.
“We’re unable to endorse unverified third party security updates," a spokesperson for Microsoft said. "Our security updates are tested extensively prior to release, and we recommend customers enable automatic updates to receive the latest protections when available.” ®