Don't worry, slowpoke Microsoft, we patched Windows bug for you, brags security biz

You snooze, you lose

Video A computer security outfit claims to have plugged an information leak in Windows that was publicly revealed by Google before Microsoft had a patch ready. Could this third-party patching become a trend?

Last month, Google's Project Zero team disclosed details of a trivial vulnerability in the Windows user-mode GDI library: the programming blunder can be exploited by dodgy enhanced metafiles (EMFs) to siphon sensitive stuff from memory. This flaw can be potentially abused by hackers to extract data from an application's memory, or defeat ASLR to pave the way for reliable remote-code execution.

Google said it had given Microsoft 90 days to fix the issue and, as it hadn't, the Chocolate Factory went public with both the flaw and a proof-of-concept exploit. Now Slovenia-based Arcos Security says it's managed to produce a patch and has released it, via its 0patch tool, for those who want to give it a try.

"I have to kindly thank Mateusz Jurczyk of Google Project Zero for a terse and accurate report that allowed me to quickly grasp what the bug was about and jump onto patching it," said Luka Treiber from Arcos.

He explained that flaw lies within the GDI library's EMF image format parsing logic: it doesn't check the dimensions specified in an incoming image file against the actual pixel count, thus allowing the document to trick the code into reading more memory than it should. To fix this, he added a checking function into the code, and he says that the patch will work for 64-bit Windows 10, Windows 8.1, and Windows 7, and 32-bit Windows 7.

Here's a video of the patch catching an attempt to exploit the GDI bug.

Youtube Video

"While not the most severe issue, I get shivers thinking that ... a malicious page could steal credentials to my online banking account or grab a photo of me after last night's party from my browser's memory," Treiber said.

Redmond skipped its February Patch Tuesday update after hitting problems with its software build and distribution systems. This GDI bug is expected to be addressed in the next monthly patch dump, due on March 15, but a fix isn't guaranteed.

“We’re unable to endorse unverified third party security updates," a spokesperson for Microsoft said. "Our security updates are tested extensively prior to release, and we recommend customers enable automatic updates to receive the latest protections when available.” ®

Similar topics

Other stories you might like

  • UK Home Secretary delays Autonomy founder extradition decision to mid-December

    Could be a Christmas surprise in store from Priti Patel

    Autonomy Trial Autonomy founder Mike Lynch's pending extradition to the US has been kicked into the long grass again by the UK Home Office.

    Lynch is wanted in the US to stand trial on 17 charges of fraud and false accounting. He is alleged to have defrauded Hewlett Packard investors over the sale of British software firm Autonomy in 2011.

    Continue reading
  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • All change at JetBrains: Remote development now, new IDE previewed

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading

Biting the hand that feeds IT © 1998–2021