Third-Party Vendor Issues Temporary Patch for Windows GDI Vulnerability

Share this…

A vulnerability discovered by Google Project Zero security researchers and left without a patch by Microsoft received a temporary fix from third-party security vendor ACROS Security.

The vulnerability, tracked as CVE-2017-0038, is a bug in Windows GDI (Graphics Device Interface), a library that Windows uses to process graphics and formatted text, for both the video display and when sending data to local printers.

According to Google researchers, attackers could leverage malformed EMF files to expose data found in the victim’s memory, which can then be leveraged to bypass ASLR protection and execute code on the user’s computer.

“I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file,” explained Mateusz Jurczyk, the Google engineer who found the bug.

Issue left unpatched after Microsoft delays Patch Tuesday

The issue was in fact reported to Microsoft last year, and received a patch in June 2016, during MS16-074. Jurczyk, who tested the patch, said Microsoft failed to cover all the reported problems in his initial report, and resubmitted the issue to Microsoft in November.

Jurczyk waited 90 days, the standard time Google gives companies to secure their products, and then went public with his second findings.

His announcement came after Microsoft delayed February’s security updates to next month’s Patch Tuesday, scheduled to arrive on March 15.

ACROS Security delivers temporary patch

In the meantime, ACROS Security has issued a temporary patch that can be applied to Windows computers via its product, called 0patch, a platform that applies fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, for legacy OSes, vulnerable 3rd party components, and customized software.

The patch can be applied for free via the 0patch Agent client. The patch files available for inspection and download from here.

The patch is available for the following platforms: Windows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit.

“While not the most severe issue, I get shivers thinking that instead of the rainbow image [used during testing], a malicious page could steal credentials to my online banking account or grab a photo of me after last night’s party from my browser’s memory,” Luka Treiber, member of the 0patch team, said.

“Note that when Microsoft’s update fixes this issue, it will replace the vulnerable gdi32.dll and our patch will automatically stop getting applied as it is strictly tied to the vulnerable version of the DLL,” Treiber also added.

A video showing how an attack with CVE-2017-0038 behaves before and after the patch is available below.

Besides the Windows GDI issue, Google Project Zero researchers disclosed details about a second unpatched Microsoft vulnerability, this one affecting Edge and Internet Explorer.