Don't worry, slowpoke Microsoft, we patched Windows bug for you, brags security biz

You snooze, you lose


Video A computer security outfit claims to have plugged an information leak in Windows that was publicly revealed by Google before Microsoft had a patch ready. Could this third-party patching become a trend?

Last month, Google's Project Zero team disclosed details of a trivial vulnerability in the Windows user-mode GDI library: the programming blunder can be exploited by dodgy enhanced metafiles (EMFs) to siphon sensitive stuff from memory. This flaw can be potentially abused by hackers to extract data from an application's memory, or defeat ASLR to pave the way for reliable remote-code execution.

Google said it had given Microsoft 90 days to fix the issue and, as it hadn't, the Chocolate Factory went public with both the flaw and a proof-of-concept exploit. Now Slovenia-based Arcos Security says it's managed to produce a patch and has released it, via its 0patch tool, for those who want to give it a try.

"I have to kindly thank Mateusz Jurczyk of Google Project Zero for a terse and accurate report that allowed me to quickly grasp what the bug was about and jump onto patching it," said Luka Treiber from Arcos.

He explained that flaw lies within the GDI library's EMF image format parsing logic: it doesn't check the dimensions specified in an incoming image file against the actual pixel count, thus allowing the document to trick the code into reading more memory than it should. To fix this, he added a checking function into the code, and he says that the patch will work for 64-bit Windows 10, Windows 8.1, and Windows 7, and 32-bit Windows 7.

Here's a video of the patch catching an attempt to exploit the GDI bug.

Youtube Video

"While not the most severe issue, I get shivers thinking that ... a malicious page could steal credentials to my online banking account or grab a photo of me after last night's party from my browser's memory," Treiber said.

Redmond skipped its February Patch Tuesday update after hitting problems with its software build and distribution systems. This GDI bug is expected to be addressed in the next monthly patch dump, due on March 15, but a fix isn't guaranteed.

“We’re unable to endorse unverified third party security updates," a spokesperson for Microsoft said. "Our security updates are tested extensively prior to release, and we recommend customers enable automatic updates to receive the latest protections when available.” ®

Similar topics


Other stories you might like

  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible listing for the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, UK newspaper The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m slapped onto the computer maker.

    Pi boss, Eben Upton, described the article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • JetBrains embraces remote development with new IDE for multiple programming languages

    Security, collaboration, flexible working: Fleet does it all, says project lead

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading
  • Nextcloud and cloud chums fire off competition complaint to the EU over Microsoft bundling OneDrive with Windows

    No, it isn't the limited levels of storage that have irked European businesses

    EU software and cloud businesses have joined Nextcloud in filing a complaint with the European Commission regarding Microsoft's alleged anti-competitive behaviour over the bundling of its OS with online services.

    The issue is OneDrive and Microsoft's habit of packaging it (and other services such as Teams) with Windows software.

    Nextcloud sells on-premises collaboration platforms that it claims combine "the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs." Microsoft's cloud storage system, OneDrive, is conspicuous by its absence.

    Continue reading

Biting the hand that feeds IT © 1998–2021