Google discloses zero-day Windows flaw
Google has disclosed the existence of a security flaw within a Windows library, days after Microsoft delayed the release of its latest batch of Windows patches by a month.
Google Security Researcher Mateusz Jurczyk last year discovered multiple bugs in the Windows graphic device interface library that could potentially be exploited to read sensitive data within the device’s memory.
Jurczyk posted his findings on the Chromium bug tracker, subject to a 90-day disclosure deadline. That deadline expired late last week.
The exploit works by manually editing the contents of the device independent bitmaps embedded within Enhanced Metafile records used by Windows. In a proof-of-concept, Jurczyk edited a record to describe a 16x16 bitmap by just four bytes, “which is good for only a single pixel”.
The remaining pixels are drawn based on junk heap data, which could include sensitive information such as private user data.
This marks the second zero-day exploit that has been disclosed at around the same time Microsoft revealed it was putting off issuing any updates during February.
In the first instance, a proof-of-concept exploit was released on GitHub that implements a Server Message Block version 3 (SMBv3) server and can trigger a buffer overflow for connected clients, causing a blue screen of death.
Google and Microsoft also have a history of conflict surrounding Google’s practices of disclosing vulnerabilities shortly after they are discovered. Microsoft has previously accused Google of putting customers at risk by disclosing before Microsoft has time to issue a patch.
ISACA identifies gaps in AI knowledge, training and policies
85% of digital trust professionals say they will need to increase their AI skills and knowledge...
VNC accounts for nearly all remote desktop attacks
Virtual Network Computing accounted for 98% of remote desktop attacks recorded by Barracuda last...
Vectra AI expands platform to combat GenAI threats
Vectra AI has announced new enhancements to its AI-driven platform aimed at protecting businesses...