Microsoft is once again facing embarrassment for not patching a vulnerability on time.
Yes, Google’s Project Zero team has once again publicly disclosed a vulnerability (with POC exploit) affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10 that had yet to be patched.
A few months back, the search engine giant disclosed a critical Windows vulnerability to the public just ten days after revealing the flaw to Microsoft.
However, this time Google revealed the vulnerability in Windows to the public after Microsoft failed to patch it within the 90-day window given by the company.
Google’s Project Zero member Mateusz Jurczyk responsibly reported a vulnerability in Windows’ Graphics Device Interface (GDI) library to Microsoft Security Team on the 9th of June last year.
The vulnerability affects any program that uses this library, and if exploited, could potentially allow hackers to steal information from memory.
While Microsoft released a patch for the vulnerability on 15th June, the company did not fix all the issues in the GDI library, forcing the Project Zero researcher to once again report it to Microsoft with a proof-of-concept on 16th of November.
“As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker,” Jurczyk notes in the new report.
Now, after giving the three-month grace period to the company, Google released the details of the vulnerability to the public, including hackers and malicious actors.
Google Project Zero team routinely finds security holes in different software and calls on the affected software vendors to publicly disclose and patch bugs within 90 days of discovering them. If not, the company automatically makes the flaw along with its details public.
Although Windows users need not panic, as hackers will require physical access to the host machine to exploit the vulnerability, the Redmond giant will have to release an emergency patch before sophisticated exploits are developed.
Microsoft recently delayed its this month’s Patch Tuesday by a month due to “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates” on 14th February.
So, if there is no expected emergency patch this month, this newly disclosed vulnerability will be left open for hackers for almost a month to exploit — just like we saw last time when Russian hackers actively exploited then-unpatched Windows kernel bug in the wild — which could put Windows users at potential risk.