Google’s security researchers disclosed details of an unpatched Microsoft vulnerability in Windows’ GDI library that allows attackers to steal sensitive data from program memory.
The flaw was first addressed by Microsoft last June, but Google said the patch was incomplete. As part of its 90-day disclosure deadline policy Google Project Zero publicly disclosed the the bug Monday.
“As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we’ve discovered that not all of the DIB-related problems are gone,” wrote Google engineer Mateusz Jurczyk in a technical description of the vulnerability. Despite notification of the bug, the soonest Microsoft might release a patch for the flaw is in March; Microsoft decided to delay its monthly February security bulletins until next month.
The flaw is tied to Windows’ GDI library (gdi32.dll), Jurczyk said. In a proof-of-concept exploit, multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF (Enhanced Metafile Format) records created conditions where “255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space.”
“It is possible to disclose uninitialised or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” Jurczyk said. “I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.”
Google Project Zero, the internet giant’s bug hunting team, privately disclosed the vulnerability to Microsoft on Nov. 16. As part of Project Zero’s policy, it will notify parties of a vulnerability and after 90 days elapses the vulnerabilities become public – whether or not they have been patched by the company in question. Microsoft did not reply to requests for comment.
Microsoft originally issued a patch classified as “important” in June to address the vulnerability. At the time, Microsoft described it as a bug that could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website. According to MITRE’s Common Vulnerabilities and Exposure database, the flaw (CVE-2017-0038) is a result of “an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220.” According to the CVE ID, impacted are Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016.
“It is strongly advised to perform a careful audit of all EMF record handlers responsible for dealing with DIBs, in order to make sure that each of them correctly enforces all four conditions necessary to prevent invalid memory access (and subsequent memory disclosure) while processing the bitmaps,” Jurczyk wrote.