Bug Windows Google Microsoft Security

Google Discloses An Unpatched Windows Bug (Again)

Posted by EditorDavid
An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

Google Discloses An Unpatched Windows Bug (Again)

  • This is what happens when control overtakes security as a priority.

    • Re: (Score:1)

      by Anonymous Coward

      Yes, because users don't have the right to know what is wrong with their operating system so that they can take action to defend against it.

      Blissfully ignorant people like you are the reason why viruses and worms get spread around.

  • Wrong Headline (Score:1)

    by Anonymous Coward

    Shouldn't the headline be "Microsoft fails to fix exploit for months"?

  • Microsoft deserved it (Score:5, Informative)

    by bongey ( 974911 ) on Sunday February 19, 2017 @05:41PM (#53897117)
    The bug was actively being used to exploit windows. Letting people know there is active exploit is more important than bad PR for Microsoft.

    • Which is why a 90 day disclosure to public announcement deadline is a reasonable measure. If a bug can be discovered by a nice engineer, it can also be discovered and exploited by a malicious one.

      People being mad about this announcement would be akin to people being angry about leaks from Trump's administration rather than the malfeasance uncovered, which would be, you know... Ludicrous.

      Or Snowden, etc...

  • Disappointing? (Score:5, Insightful)

    by danhuby ( 759002 ) on Sunday February 19, 2017 @05:43PM (#53897129) Homepage

    > Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

    I would describe Microsoft's ability to patch these bugs within a reasonable timeframe as "disappointing".

    • I would describe Microsoft's pattern of constantly distributing deeply flawed software as "inexcusable".

    • Re: (Score:3)

      by wbr1 ( 2538558 )
      The correct verbiage now is as follows:

      So-called tech company releases fake news. SAD!

    • Re: (Score:2)

      by Luthair ( 847766 )
      I have this recollection that Google delayed publishing an Apple vulnerability for quite a while.
  • It would be interesting to see if this security issue also affects LibreOffice on a Window$ system since it also opens docx files. Anyone know? I'm a Linux user (duh), but even I will admit to how much nicer M$ Office is. I like Apple's iWork stuff too, but having to save a document in a strictly Apple format to keep the cool stuff it'll do isn't work it vs. practicality. The day LibreOffice supports Google Drive out-of-the-box and has a mobile version, Office 365 doesn't have a chance. Also, something to n

