Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Bug Windows Google Microsoft Security

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com) 122

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.

Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".
This discussion has been archived. No new comments can be posted.

Google Discloses An Unpatched Windows Bug (Again)

Comments Filter:
  • by ZP-Blight ( 827688 ) on Sunday February 19, 2017 @06:38PM (#53897107) Homepage

    This is what happens when control overtakes security as a priority.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Microsoft could always, you know, fix their goddamn bugs.

      • An honest question, why does Google drop bugs about MS at or before 90 days, while giving Apple 1+ year to fix bugs in past. I'm arguing what position Google should take, but rather suggesting Google be uniform in the standard they apply to everyone. Whatever they do regarding OS X, iOS or the Linux kernel should be the same way they treat Windows and vis versa.

        • by Threni ( 635302 )

          The linux kernel is open source. Why would you treat that the same way as a closed-source, proprietary product?

          • Re: (Score:2, Troll)

            by gweihir ( 88907 )

            Because these morons do not actually want to do anything about the problem, they are just looking for excuses for MS. How somebody can be this stupid is beyond me, but "happy slaves" are apparently a reality.

            Incidentally, for serious security vulnerabilities, the Linux kernel has time-to-fix considerably less than 90 days. Times of below 12h after reporting have been observed. There is no issue to be fixed here, the Linux folks are doing their job. The problem is that MS is not doing theirs and are endanger

        • by Anonymous Coward on Sunday February 19, 2017 @07:18PM (#53897265)

          My perception is that, for the prior MS bug and this one, the difference between Apple and Microsoft was that Microsoft didn't ask Google to delay disclosure.

          If you look at, say, this one: https://bugs.chromium.org/p/project-zero/issues/detail?id=837#c3

          You'll see that Apple had to request an extension, get denied it, then set up meetings to explain why they needed it, get denied a partial disclosure extension AGAIN, and then it escalated before they got a further extension.

          I would have expected that MSFT could have at least gotten the 14d extension on the 90d disclosure deadline, even if they couldn't push it all the way to the next Patch Tuesday.

          • Perhaps it was intended to be in the now-cancelled February patch Tuesday.
          • by gweihir ( 88907 )

            Indeed. MS did not even manage to ask for an extension. Apparently they are now completely dysfunctional when it comes to security.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          10 months isn't long enough to fix something?
          Specially something Microsoft supposedly fixed 8 months ago?

          • by Anonymous Coward

            Depends on how many other things the "fix" breaks.

            While most software fixes are simple, many are not as simple as people think. Why do you think companies delay patching something for month?

        • How far in the past? https://arstechnica.com/securi... [arstechnica.com]

        • Re: (Score:2, Troll)

          by gweihir ( 88907 )

          You are either stupid or trolling.

          First, MS did actually get something like a year here. And second: The policy is simple: Get 90 days unless there are some special circumstances. There were none (except gross incompetence by MS), hence the bug got published after they failed again (!) to fix it and it was already being exploited.

        • You ask:

          ... why does Google drop bugs about MS at or before 90 days, while giving Apple 1+ year to fix bugs in past?

          Microsoft appears to give the answer to that question itself in the blog referenced by TFA:

          Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. And we take this responsibility very seriously.

          https://blogs.technet.microsof... [microsoft.com]

      • Microsoft could always, you know, fix their goddamn bugs.

        Microsoft has had a long history of fixing and unfixing bugs - where one update would fix a bug, and another would undo the fix. The had a nasty WMF (Windows Metafile Format) that was patched and unpatched for 20+ years; I think they finally got it patched without any rollbacks when they patched it in Windows 8 or 8.1 (at least, that's the last time I heard about it; wouldn't surprise me if it showed up in Windows 10 again).

        IOW, they have really bad patch management and QA/QE processes. It's amazing they

      • yes but why fix them if they can offer a whole new OS.....win11.....job security
    • by Anonymous Coward

      Yes, because users don't have the right to know what is wrong with their operating system so that they can take action to defend against it.

      Blissfully ignorant people like you are the reason why viruses and worms get spread around.

    • by gweihir ( 88907 )

      More like greed and stupidity. Both qualities MS has amply demonstrated in the past and is continuing to push as core values.

    • by Z00L00K ( 682162 )

      Security has never been a strong point by Microsoft, they have always been in a situation of one or two steps behind.

    • Sometimes you have to hold their feet to the fire before they will take action.

      Better to know of a vulnerability and force MS to fix it as a priority rather than letting it stay a secret known to only a few and have MS fix it whenever they get around to it.

  • Wrong Headline (Score:5, Insightful)

    by Anonymous Coward on Sunday February 19, 2017 @06:39PM (#53897111)

    Shouldn't the headline be "Microsoft fails to fix exploit for months"?

    • Shouldn't the headline be "Microsoft fails to fix exploit for months"?

      Technically, yes, you are correct.

      But if this were applied in reality, there would be so many news articles of the same name – each tranche covering yet another un-patched MS exploit, that it would become impossible to follow any individual one.

      There are just so many of these things. . . We need a way of telling one from another.

    • Re:Wrong Headline (Score:4, Interesting)

      by Solandri ( 704621 ) on Sunday February 19, 2017 @11:16PM (#53898059)
      TFA (which summary quotes) implies the fix was in the February update which Microsoft delayed. So the courteous thing to do would've been to extend disclosure beyond 90 days until after the March update.

      OTOH, the entire reason Microsoft had to delay the February update was because they insisted on lumping all the patches into one huge mega-update. If they'd stuck with individual updates as before, then the crucial security patches would've gone out on time, while only the problem patch would've been delayed. So it's still Microsoft's fault.
      • by RyoShin ( 610051 )

        So the courteous thing to do would've been to extend disclosure beyond 90 days until after the March update.

        And if the March update becomes the April update...?

    • by gweihir ( 88907 )

      Indeed. And add to that "which was already being exploited".

  • by bongey ( 974911 ) on Sunday February 19, 2017 @06:41PM (#53897117)
    The bug was actively being used to exploit windows. Letting people know there is active exploit is more important than bad PR for Microsoft.
    • by chaboud ( 231590 ) on Sunday February 19, 2017 @06:56PM (#53897173) Homepage Journal

      Which is why a 90 day disclosure to public announcement deadline is a reasonable measure. If a bug can be discovered by a nice engineer, it can also be discovered and exploited by a malicious one.

      People being mad about this announcement would be akin to people being angry about leaks from Trump's administration rather than the malfeasance uncovered, which would be, you know... Ludicrous.

      Or Snowden, etc...

      • Re: (Score:2, Offtopic)

        by bongey ( 974911 )

        people being angry about leaks from Trump's administration.

        IT'S A TRAP !!!!
        Don't fall for the Trump trigger trap, dammit I said T**** again.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Because Google does such a great job ensuring the same for their Android users. /sarcasm

      If patches can't make it to end users, they're just as culpable. They created their situation.

  • Disappointing? (Score:5, Insightful)

    by danhuby ( 759002 ) on Sunday February 19, 2017 @06:43PM (#53897129) Homepage

    > Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

    I would describe Microsoft's ability to patch these bugs within a reasonable timeframe as "disappointing".

    • I would describe Microsoft's pattern of constantly distributing deeply flawed software as "inexcusable".

    • by wbr1 ( 2538558 ) on Sunday February 19, 2017 @07:35PM (#53897311)
      The correct verbiage now is as follows:

      So-called tech company releases fake news. SAD!

    • by Luthair ( 847766 )
      I have this recollection that Google delayed publishing an Apple vulnerability for quite a while.
    • Sometimes it's not that simple to fix bugs, a lot of other applications depend on systemwide features, so you cannot change the workings (if they have followed the API as it was intended) to fix security bugs. It also has to be tested thoroughly, and that just takes time. And as I say, some 'bugs' maybe aren't even fixable due to how the API works.
      Also this team are a bunch of hypocrites, because they have extended publication beyond the 90 days of google software themselves..
      It's a security flaw, but it do

  • by Anonymous Coward on Sunday February 19, 2017 @06:54PM (#53897167)

    This is a pretty disappointing spin on what sounds like actually happened.

    So... March 2016 they found it and suggested a fix. The June patch by Microsoft was insufficient, so they told them (again) in November 2016 they need to fix it. Microsoft had an additional 90 days to patch the bug (which is pretty standard practice in the industry), and didn't fix a YEAR OLD bug

    What was Microsoft expecting here? I would expect the same to happen to Google, Apple, or any other big company if it took them that long to fix a bug that's been known for that long.

    • by gweihir ( 88907 )

      MS is blatantly riding their exception from liability for what in all other tech products would be called gross negligence and would make the manufacture criminally and civilly liable. Until they do get that liability, like they should, nothing is going to change.

  • LibreOffice? (Score:3, Interesting)

    by TheOuterLinux ( 4778741 ) on Sunday February 19, 2017 @07:33PM (#53897307)
    It would be interesting to see if this security issue also affects LibreOffice on a Window$ system since it also opens docx files. Anyone know? I'm a Linux user (duh), but even I will admit to how much nicer M$ Office is. I like Apple's iWork stuff too, but having to save a document in a strictly Apple format to keep the cool stuff it'll do isn't work it vs. practicality. The day LibreOffice supports Google Drive out-of-the-box and has a mobile version, Office 365 doesn't have a chance. Also, something to note on Linux and LibreOffice, there are a whole bunch of command line cheats you can use with LibreOffice, so no GUI needed if you have enough patience. Type a doc with nano or pico and convert to a PDF with "soffice --headless --convert-to : file_to_convert.xxx" There's a lot more you can do with LibreOffice than you can M$ Office, but eye candy gets people every time.
    • Re:LibreOffice? (Score:5, Informative)

      by fuzzyfuzzyfungus ( 1223518 ) on Sunday February 19, 2017 @11:13PM (#53898053) Journal
      You can definitely embed Windows Metafile images in LibreOffice on Windows; but I'm not entirely sure if that is enough to make it vulnerable. WMF is dangerous because it is basically a package of GDI function calls, which might be good for efficiency or compactness; but has led to a number of creative and executable things being shoehorned in(as in this case; and repeatedly over the years).

      However, there are several image handling libraries that can render or convert WMF images without access to GDI; so in those cases GDI bugs wouldn't be a problem(though you probably have other things to worry about).

      This Libreoffice VCL documentation [libreoffice.org] suggests that LibreOffice uses its own VCL WMF filters [freedesktop.org]; but I sure wouldn't bet anything remotely important on that without testing it first; or knowing rather more about how LibreOffice is put together.
      • by Anonymous Coward

        WMF's bad security record isn't because it's a list of GDI calls, after all many file format parsers use separate functions or classes for the records in the file and in WMF the calls basically act as drawing primitives.
        No, it's because when loading / playing a WMF file, Windows fails to properly sanitise the file before use. This has historically been one of the two main causes of datafile delivered exploits, the other one being running untrusted code.
        Case in point is the current vulnerability, which is ag

  • Microsoft dropping Patch Tuesday is disappointing!
  • Microsoft, owner of Skype (which Microsoft changed specifically for spying [guardian.co.uk], not that Skype was trustworthy under its previous owner either as The Guardian tells us, "Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.") and NSA "provider" since 2007-09-11 (the NSA's first PRISM provider) [washingtonpost.com] wants us to understand their "commitment to our customers' security". Apparently that commitment is as little as they can get away with.

    That's true of every software proprietor, Google included. The problem is the lack of software freedom which is designed to leave users at the mercy of the only programmers allowed to inspect, alter, and publish improvements to the proprietary software—these are the very programmers users couldn't trust with their security in the first place.

    • I'm frustrated by your generalization "That's true of every software proprietor"
      The very large and very visible company that I work for, works hard to make sure we stay on top of vulnerabilities. If my team discovers one in any product, nothing else in that product line goes out till the bug is fixed. Also I don't know of any back doors in our products or even any requests for back doors in our products. I do know of requests for back doors or underhanded feature requests that have gone into other comp
  • The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

    Can we hear about other attack methods? So far this sounds like an issue that isn't going to impact people not using Microsoft Office or DOCX files.

  • by fuzzyfuzzyfungus ( 1223518 ) on Sunday February 19, 2017 @10:56PM (#53897987) Journal
    So, yet another exploit in GDI; an initial attempt at a fix that didn't actually work; a second attempt that was delayed a month(along with a reasonably juicy SMB issue; and probably some other stuff); and the disclosure is the 'disappointing' part? How eminently plausible.
    • Re: (Score:3, Interesting)

      by gweihir ( 88907 )

      MS needs to be either kicked hard until they get that they have a responsibility, or they need to be made completely obsolete. 90 days is plenty. I say we call not fixing reported security-bugs in 90 days gross negligence and make them per default liable for all hacks of their "OS" that happen afterwards until they patch and with no possibility to prevent that liability in the TOU.

  • by gweihir ( 88907 ) on Monday February 20, 2017 @01:45AM (#53898463)

    Why are we are trusting these people to provide widely-used software, again?

    A reasonable time-frame to patch security vulnerabilities is like 2...4 weeks. 90 days is already stretching it considerably and they still are too incompetent or uncaring to make that long deadline. Google is doing the right thing here. If incompetent and lazy vendors are not forced to fix security vulnerabilities, they will never do it. It is just utterly pathetic that we allow MS to be one of these worst offenders.

  • Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing"...

    Perhaps if Microsoft wasn't so focused on making the Microsoft Telemetry OS (a.k.a. Windows 10) to feed unethical revenue channels, they would be more concerned about Security in their products.

    In short, Screw You, Microsoft, for having the unmitigated gall to make such a statement after having months to fix your shit. I would suggest that you should start taking Security seriously, but you've failed to do that for decades now. Don't even know what to say about your new-and-improved patch process other th

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!