Google’s Project Zero member, Mateusz Jurczyk has disclosed a gdi32.dll vulnerability concerning the Windows Graphics Device Interface (GDI) in the Windows operating system to Microsoft on November 16, 2016. This vulnerability allows the remote attacker to use the EMF files to read the content of user’s memory. Microsoft attempted to address these issues with June 2016 set of monthly patches but apparently failed to do so.
First of all, Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. Then he described methods that allow attackers to exploit an issue in the dynamic link library. Microsoft has released the security bulletin MS16-074 in the June 2016 which fixed issues in the Windows Graphics Component (gdi32.dll) among other things.
But the Microsoft did not do a good enough job to resolve the issues which are described on the Google’s Project Zero website. He checked an updated version of gdi32.dll to checker whether patching was successful or not. Turns out, patching was insufficient. In the new report, he notes that MS16-074 is fixed some bugs but not all of them which as a result it is disclose out-of-bound here bytes in the IE and other GDI clients that allow the extraction of displayed image data to the remote attacker.
After disclosure of vulnerabilities, Google gives companies 90 days to fix the issue. If the time frame elapses without the patch then the vulnerability is disclosed to the public. The issues reported by Jurczyk to Microsoft on November 16, 2016. The good news for the Windows users is that the issue should not be of the major concern as it requires access to the machine to exploit the issue.
Microsoft had plans to release a security update for the reported vulnerability on February 2017. But that patch day did not happen, as Microsoft has announced the postponing of the patch day to March. The patches were expected to resolve the previously revealed high-risk SMB 0-day.
The newly disclosed vulnerability is very related to the handling of DIBs embedded in the EMF records. Jurczyk notes that a careful audit of EMF record handlers are responsible for dealing with the DIBs to ensure that all of them can correctly enforce the conditions. If all conditions are not enforced then invalid or subsequent memory disclosure is possible while processing the bitmaps. A couple of years ago, Google made modifications to its vulnerability disclosure privacy after criticized for enforcing it too much strictly.