After Microsoft Delayed Patch Tuesday, Google Discloses Windows Bug

Published on: February 19th, 2017

By Catalin Cimpanu
February 18, 2017 11:20 AM

For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google’s announcement.

The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll), which is a library that enables applications to use graphics and formatted text on both the video display and a local printer.

Bug received an incomplete fix in June 2016
According to a bug report filed by Google’s Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft’s security bulletin MS16-074.

Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable.

Following subsequent tests, the researcher resubmitted his bug report in November, which Microsoft failed to patch in the 90 days interval Google allows vendors to fix bugs before going public with its reports.

Not the first time this happened
This is the second time Google has taken this step against Microsoft after in November 2016 it disclosed details about a zero-day exploited by a cyber-espionage group known as APT28 (Strontium) a few days before Microsoft’s November Patch Tuesday.

Back then, Google said it took this step to allow users to protect themselves until Microsoft published a patch.

Microsoft’s Terry Myerson, Executive Vice President, Windows and Devices Group, didn’t see it the same way, describing Google’s actions as “disappointing” because it put customers at greater risk of exploitation.

No fix this month because Microsoft delayed Patch Tuesday
Myerson can’t take the same stance again, because Google disclosed this latest unpatched bug on February 14, the same day that Microsoft was supposed to issue February’s Patch Tuesday.

Microsoft delayed this month’s security updates until next month, citing a “last minute issue that could impact some customers.”

Google’s decision only came as a direct answer to Microsoft’s intention to not ship any security updates this month, and this recent issue might have received a fix if Microsoft engineers wouldn’t have tripped over that “last minute issue.”

Bug affects IE and Office Online users
According to Google’s Jurczyk, the issue that Microsoft didn’t patch, tracked as CVE-2017-0038, allows an attacker to read the content of the user’s memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents.

“I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file,” Jurczyk explained.

The severity of these types of attacks depends on where the malicious EMF file executes in memory, and what type of data may be present in nearby bytes.

No mitigations available
The Google security expert didn’t provide any mitigation advice against attacks leveraging this security bug.

Windows users will remain vulnerable to attacks until March 15, when Microsoft plans to deliver both the February and March security updates.

On the same day Jurczyk disclosed the unpatched Windows GDI flaws, other members of the Google Project Zero team also detailed 16 security flaws that Microsoft had patched in the Windows NVIDIA Driver in the past. These issues are not related to Jurczyk’s findings.