Security research firm ACROS Security has issued a third-party patch for a Microsoft vulnerability that Google disclosed last month after Microsoft failed to issue a patch within Google’s imposed 90-day deadline.
Officially designated as CVE-2017-0038, the vulnerability involves the mishandling of Device Independent Bitmaps by EMF metafiles implemented within the Windows Graphic Component GDI library. According to ACROS Security’s 0patch blog, “Attackers can exploit this flaw to steal sensitive data that an application holds in memory or as an aid in other exploits when ASLR [address space layout randomization] needs to be defeated.”
To address this concern, ACROS is making available a free copy of its patch for Windows 10 (64-bit), Windows 8.1 (64-bit), and Windows 7 (64bit and 32bit). The patch will serve as a temporary solution until Microsoft releases its own fix.
Microsoft was originally going to address the problem in February, before cancelling its Patch Tuesday update for that month due to what the company described as a “last-minute issue that could impact some customers and was not resolved in time for our planned updates…”
A Monday blog post from Bitdefender reported on the resulting ACROS patch, noting that Microsoft previously attempted to address this bug in June 2016. However, in November 2016 Google researcher Mateusz Jurczyk reported that the fix was incomplete. Google subsequently disclosed extensive details about the bug in February.