Google outs unfixed Windows info leak flaw

Google has released full details and proof-of-concept code for a vulnerability in Windows after Microsoft failed to patch the flaw within 90 days.

Google Project Zero team member Mateusz Jurczyk alerted Microsoft to the bug in the Windows graphics device interface (GDI) dynamic link library on November 16 last year.

Using a specially crafted enhanced metafile (EMF) format file - which is used for print job spooling - Jurczyk found it was possible to exploit an out-of-bounds reads bug in how device independent bitmaps (DIBs) are processed, and leak data stored in the computer's memory.

"... it is possible to disclose uninitialised or out-of-bounds heap bytes via pixel colours, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker," Jurczyk wrote.

This could include private user data, or information about the virtual address space, he said. It is possible to trigger the bug via Internet Explorer and Microsoft Office apps.

While Microsoft had issued earlier fixes for DIB handling in the GDI, the new bug has not been addressed. Google's Project Zero has a 90-day disclosure policy after bug reports even if the affected vendor has not issued a patch, in order to put pressure on companies to fix vulnerabilities.

In January 2015, Microsoft accused Google of hurting its customers after Project Zero released details of a serious flaw in Windows 8.1, instead of waiting for a fix to be released prior to disclosure.

Last October, Google again disclosed a vulnerability in Windows that it termed "particularly serious" as it was under active exploit.

It disclosed the bug just seven days after reporting it to Microsoft because Google deemed the vulnerability as critical. No fix was available at the time.

It is unclear if Google's most recent bug disclosure was triggered by Microsoft pulling this month's Patch Wednesday set of security updates last week.