Google again uncovered unclosed vulnerability in Windows

For the second time in three months, Google’s developers uncovered a bug in the Windows operating system before Microsoft released the patch. Theoretically, now, for several weeks, anyone can exploit a critical vulnerability that is available on all computers under Windows.

It is believed that public disclosure of information - the most effective way to rush the vendor with the release of the patch. Thus, Google provides a service to all users, forcing Microsoft to move.
')
In this case, the vulnerability is found in the Windows GDI (Graphics Device Interface) subsystem, that is, in the gdi32.dll library.

GDI is one of the three major subsystems of Windows, along with the kernel of the operating system and the Windows API. The gdi32.dll library is responsible for drawing lines and curves, displaying fonts and processing the palette. This is a Windows interface for displaying graphical objects and transferring them to display devices. The disclosure of a critical GDI vulnerability is similar to the disclosure of a vulnerability right in the operating system kernel.

The latest bug report was published on November 16, 2016 by Project Zero employees. It was first mentioned about it even earlier - in March 2016 , along with a large set of other vulnerabilities in Windows. Microsoft formally fixed this vulnerability in June 2016 and published security bulletin MS16-074. But in fact, the released patch was incomplete.

As security specialist from Google Mateusz Jurczyk (Mateusz Jurczyk) wrote, patch MS16-074 does not completely eliminate the vulnerability and leaves room for exploiting the bug. Some of the attack vectors reported in March were still available after the patch was installed. Details are described in the November bug report .

Bug CVE-2017-0038 allows a malicious program to read the contents of the memory using a specially designed EMF file. Files of this format can be embedded in various documents - they are automatically launched for execution in Internet Explorer, in Office Online or in a .docx document.

In November, Mateusz Yurchik conducted a series of tests - he made sure that the vulnerability could still be exploited, and then sent a report to Microsoft. In accordance with the rules adopted in the information security community, after 90 days he published the information in open access, although the new patch did not come out by this point.

Recently, this is not the first time that Google publishes information about an open vulnerability in Windows. Recall that in November 2016, Google Threat Analysis Group experts revealed a dangerous vulnerability in Windows just 10 days after they reported it to Microsoft. This short interval was explained by the fact that the detected vulnerability was already actively exploited by hackers. So the actions of Google were quite appropriate, given the high danger of the bug found. Then the 0day vulnerability in Windows has already been used by hackers from the APT28 group (Fancy Bear). According to the Google Threat Analysis Group regulations, the period for publishing information about actively exploited vulnerabilities is 7 days.

The Russian-speaking hacker group APT28 is well known for cyber attacks on government, information, military and other structures of foreign countries, as well as Russian opposition figures and journalists. According to ESET , hackers attacked the embassies of dozens of states, the Ministry of Defense of Argentina, Bangladesh, Turkey, South Korea and Ukraine, NATO staff, Ukrainian politicians, journalists from Eastern Europe. In Russia, members of the Anonymous International group (Humpty Dumpty), members of the Parnassus party and other opposition members, as well as foreign scholars who visited Russian universities were attacked.

In the summer of 2016, the US Democratic Party’s internal network was hacked. Experts from the company CrowdStrike, eliminating the effects of hacking, said that it was organized by groups of Fancy Bear and Cozy Bear .

As now, in the same way, Google prematurely disclosed information about a vulnerability in Windows in 2015, for which Microsoft colleagues criticized it . At that time, the situation was even more interesting, because Microsoft specifically asked Google to wait a few more days with disclosure - give them time to release a patch for Windows 8.1. But Google did not give up on the principles.

Apparently, Google and Microsoft just have different views on the problem. Google believes that informing users about the danger only increases overall security and will force a patch to be released earlier. Microsoft believes that there is no need to bring dirty laundry to the public.

Last November, Microsoft’s executive vice president and head of the Windows and Devices Group, Terry Myerson, called Google’s act “disappointing” because it puts millions of Windows users at risk.

This time, Microsoft has to blame itself, because Google has waited for February 14, the day Microsoft launches the monthly update package. The patch for this vulnerability did not work.

Most likely, Windows users will remain defenseless against the CVE-2017-0038 vulnerability at least until March 15, 2017, when Microsoft plans to release the next cumulative security package.