Patch/Configuration Management, Vulnerability Management

Irresponsible disclosure? Google reveals bug prior to Microsoft patch

Google's Project Zero has revealed a bug in Windows' Graphics Component GDI Library before Microsoft has fixed it.

The Google project operates a strict rule where it notifies companies of bugs in their software, and sets a 90 day deadline for them to issue a fix, or it goes public and reveals it to the world.

The bug in question, reported by Googler Mateusz Jurczyk, allows an attacker to access memory using EMF metafiles.

The files are a tool implemented in the Windows Graphic Component GDI library and store a list of function calls to display an image on screen.

Since some GDI functions allow pointers to callback functions for error handling, a WMF file may erroneously include executable code.

Jurczyk said that Microsoft fixed similar bugs he reported last year, but has claimed that the fix for those didn't completely address issues that allow access to memory.

The security researcher said he notified Microsoft about the issue on November 16th, 2016, and heard nothing back.

Last week's Valentine's Day patch day came and went, and no patch was released, so the 90-day policy kicked in and Jurczyk revealed the flaw to the world.

Gavin Millard, technical director of Tenable Network Security said: “Project Zero's 90 day window to issue a fix for a discovered vulnerability has been hotly debated in the industry with some - generally the software vendors affected by the discovery, stating the time limit is too short to implement a fix, test and rollout. But for many, the 90 day window is seen to drive the right behaviour, focusing software companies to address flaws that could be used by an attacker to gain access.

SC Media UK contacted both Microsoft and Google for comment, however neither responded in time for publication.

This isn't the first time a bug had been reported in these types of files; in 2005 a similar vulnerability was reported to Microsoft by Symantec.

Back in November 2016, Terry Myerson, Microsoft's executive vice president of the Windows and Devices Group described Google's actions as "disappointing," when the search giant had disclosed another bug before Microsoft had patched it.

Although no such data has been released on the bug above, Myerson at the time said the vulnerability was being exploited on a "low-volume scale" by the Russia-linked hacking group Fancy Bear.

Alex Mathews, lead security evangelist of Positive Technologies said: “The vulnerability was actually found a year ago (March 2016 - CVE-2016-3216), and has already been officially patched. However, the researcher claims that the patch was ‘insufficient'. Given that warning was given with the researcher saying "This bug is subject to a 90 day disclosure deadline" the researcher has acted responsibly, but perhaps the vendor didn't agree with the risk level of this vulnerability, so hasn't asked for publication to be postponed.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.