Google discloses zero-day Windows flaw

Google has disclosed the existence of a security flaw within a Windows library, days after Microsoft delayed the release of its latest batch of Windows patches by a month.

Google Security Researcher Mateusz Jurczyk last year discovered multiple bugs in the Windows graphic device interface library that could potentially be exploited to read sensitive data within the device’s memory.

Jurczyk posted his findings on the Chromium bug tracker, subject to a 90-day disclosure deadline. That deadline expired late last week.

The exploit works by manually editing the contents of the device independent bitmaps embedded within Enhanced Metafile records used by Windows. In a proof-of-concept, Jurczyk edited a record to describe a 16x16 bitmap by just four bytes, “which is good for only a single pixel”.

The remaining pixels are drawn based on junk heap data, which could include sensitive information such as private user data.

This marks the second zero-day exploit that has been disclosed at around the same time Microsoft revealed it was putting off issuing any updates during February.

In the first instance, a proof-of-concept exploit was released on GitHub that implements a Server Message Block version 3 (SMBv3) server and can trigger a buffer overflow for connected clients, causing a blue screen of death.

Google and Microsoft also have a history of conflict surrounding Google’s practices of disclosing vulnerabilities shortly after they are discovered. Microsoft has previously accused Google of putting customers at risk by disclosing before Microsoft has time to issue a patch.

Image courtesy of Neon Tommy under CC

Follow us on Twitter and Facebook