Brian Jackson - Fotolia

Google discloses Windows vulnerability after canceled Patch Tuesday

Google Project Zero discloses a Windows vulnerability that passed the 90-day deadline. And it comes soon after Microsoft canceled its Patch Tuesday release.

Google has proven it has no mercy when it comes to disclosing vulnerabilities that remain unpatched after its 90-day policy has passed -- and a new Windows vulnerability is no exception.

Mateusz Jurczyk, a security researcher based in Poland and member of Google's Project Zero team, found multiple Windows vulnerabilities in Microsoft's Graphics Device Interface library. According to Jurczyk, some of the issues were fixed as part of Microsoft's June 2016 Patch Tuesday release (MS16-074), but not all. As part of a post on Nov. 16, 2016, Jurczyk said he disclosed the vulnerability to Microsoft.

Project Zero has a strict 90-day disclosure deadline, after which it will release the details of the bugs it finds, regardless of whether there is a patch or not -- a practice which has burned Microsoft in the past. This time, a proof-of-concept exploit of the Windows vulnerability became publicly visible once the 90-day deadline passed.

Jurczyk described an exploit that reads memory contents where a malicious image file would force pixels to be "drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space. I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file."

Craig Young, security researcher at Tripwire Inc., based in Portland, Ore., told SearchSecurity this Windows vulnerability alone wasn't too dangerous, but it "could give an attacker a way to exploit a difficult-to-exploit code execution bug."

"Usually, this type of vulnerability is essentially a primitive tool useful only as a step in a larger exploit chain containing more serious code execution flaws. In this specific instance, however, an attacker could theoretically use crafted image files within web content in such a way that the attacker could read data on the user's PC that they should not have access to," Young said. "Fortunately, there is no indication that an attacker intentionally read specific data, but rather is limited to random heap memory contents likely adjacent to where the malicious graphic was constructed."

The vulnerability disclosure comes less than one week after Microsoft surprised customers by cancelling February's Patch Tuesday release without giving a clear reason. It is unknown if the patch for this Windows vulnerability would have been part of the Patch Tuesday release.

Microsoft did not respond to questions about the Windows vulnerability, but pointed to an official statement about Patch Tuesday being cancelled, which attributed "a last-minute issue that could impact some customers" as the reason for the delay.

Even without a patch, though, Young said, "Network administrators should not lose sleep over this bug."  

"The details released should allow security vendors to recognize exploitation attempts of this flaw," Young said. "As usual, browsing and opening only trusted content is very important. For web browsing, the use of HTTPS can also help by ensuring that content from a trusted site is not altered by a malicious actor."

Next Steps

Learn more about the software vulnerability disclosure debate.

Find out how Windows vulnerabilities are combatted in Windows 10.

Get info on whether crash data can be a security vulnerability.

Dig Deeper on Application and platform security