Google discloses zero-day Windows flaw
Google has disclosed the existence of a security flaw within a Windows library, days after Microsoft delayed the release of its latest batch of Windows patches by a month.
Google Security Researcher Mateusz Jurczyk last year discovered multiple bugs in the Windows graphic device interface library that could potentially be exploited to read sensitive data within the device’s memory.
Jurczyk posted his findings on the Chromium bug tracker, subject to a 90-day disclosure deadline. That deadline expired late last week.
The exploit works by manually editing the contents of the device independent bitmaps embedded within Enhanced Metafile records used by Windows. In a proof-of-concept, Jurczyk edited a record to describe a 16x16 bitmap by just four bytes, “which is good for only a single pixel”.
The remaining pixels are drawn based on junk heap data, which could include sensitive information such as private user data.
This marks the second zero-day exploit that has been disclosed at around the same time Microsoft revealed it was putting off issuing any updates during February.
In the first instance, a proof-of-concept exploit was released on GitHub that implements a Server Message Block version 3 (SMBv3) server and can trigger a buffer overflow for connected clients, causing a blue screen of death.
Google and Microsoft also have a history of conflict surrounding Google’s practices of disclosing vulnerabilities shortly after they are discovered. Microsoft has previously accused Google of putting customers at risk by disclosing before Microsoft has time to issue a patch.
Ingram Micro adds AlgoSec to supplier line-up
Ingram Micro has reached an agreement to distribute application-centric security...
CyberCX to be bought out by Accenture
Accenture has arranged to make its largest cybersecurity acquisition to date through the purchase...
CrowdStrike launches next-gen identity security tool
CrowdStrike’s latest addition to its Falcon platform enables organisations to identify and...