b374k
v10
today : | at : | safemode : ON
> / home / facebook / twitter / exit /
name author perms com modified label

Google Discloses Vulnerability After Microsoft Fails To Patch In Time Asylum rwxr-xr-x 0 4:14 PM | | | | | | |

Filename Google Discloses Vulnerability After Microsoft Fails To Patch In Time
Permission rw-r--r--
Author Asylum
Date and Time 4:14 PM
Label | | | | | | |
Action
(pc-Google Images)
Google's Project Zero has unearthed a bug in Windows, and as Microsoft failed to patch it within 90 days of being notified, details of the flaw have been made public.

The vulnerability in question is in the gdi32.dll file that is used by a significant number of programs. It is affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, which are yet to be patched.

Google gives company 90 days after disclosure of vulnerabilities to fix the issue. However, if the time elapses without a patch that is made available to the public, the vulnerability is then disclosed to the public so that users can protect themselves by taking necessary steps.

In a post, Google’s Mateusz Jurczyk explains how the bug works. The post -- entitled "Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure in EMR_SETDIBITSTODEVICE and possibly other records" -- says that Microsoft issued a patch that fixed a related issue, but not all the memory access issues were addressed.

As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we've discovered that not all the DIB-related problems are gone. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.

Jurczyk informed Microsoft about the bug on 16 November, giving the Windows-maker 90 days to get things sorted before going public. With this month's batch of security patches from Microsoft being delayed, the company missed the deadline, so the details of the bug are now available for everyone to see.


via E Hacking News - Latest Hacker News and IT Security News Google Discloses Vulnerability After Microsoft Fails To Patch In Time http://ift.tt/2mxXW2P

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

Jayalah Indonesiaku © 2010 Hacker News
VB (Vio b374k) Template design by p4r46hcyb3rn3t