Google discloses zero-day Windows flaw


By Dylan Bushell-Embling
Monday, 20 February, 2017

Google discloses zero-day Windows flaw

Google has disclosed the existence of a security flaw within a Windows library, days after Microsoft delayed the release of its latest batch of Windows patches by a month.

Google Security Researcher Mateusz Jurczyk last year discovered multiple bugs in the Windows graphic device interface library that could potentially be exploited to read sensitive data within the device’s memory.

Jurczyk posted his findings on the Chromium bug tracker, subject to a 90-day disclosure deadline. That deadline expired late last week.

The exploit works by manually editing the contents of the device independent bitmaps embedded within Enhanced Metafile records used by Windows. In a proof-of-concept, Jurczyk edited a record to describe a 16x16 bitmap by just four bytes, “which is good for only a single pixel”.

The remaining pixels are drawn based on junk heap data, which could include sensitive information such as private user data.

This marks the second zero-day exploit that has been disclosed at around the same time Microsoft revealed it was putting off issuing any updates during February.

In the first instance, a proof-of-concept exploit was released on GitHub that implements a Server Message Block version 3 (SMBv3) server and can trigger a buffer overflow for connected clients, causing a blue screen of death.

Google and Microsoft also have a history of conflict surrounding Google’s practices of disclosing vulnerabilities shortly after they are discovered. Microsoft has previously accused Google of putting customers at risk by disclosing before Microsoft has time to issue a patch.

Image courtesy of Neon Tommy under CC

Follow us on Twitter and Facebook

Related News

Arctic Wolf launches incident response platform

Arctic Wolf has launched a new solution combining incident readiness with incident response...

Tenable adds third‍-‍party connectors to Tenable One

Tenable has introduced a range of third‍-‍party data connectors to its Tenable One...

Just 8.5% of Aussie organisations have quantum‍-‍safe encryption

Research from DigiCert shows a wide gap between Australian enterprises' awareness of quantum...


  • All content Copyright © 2025 Westwick-Farrow Pty Ltd