Another Windows 0day appears – gdi32.dll heap boundary errorPosted on February 17th, 2017 at 11:13 Comment on the AskWoody Lounge
As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern.
Mateusz Jurczyk at Google Project Zero discovered a memory disclosure vulnerability and notified Microsoft on Nov. 17. Project Zero has an automatic 90-day disclosure deadline: If the vendor (in this case Microsoft) doesn’t fix the hole that’s discovered, it will be automatically disclosed 90 days later.
Sure enough, 90 days passed and, on Feb. 14, the timer rang and the full disclosure popped out, including exploit code.
This isn’t a huge bug. The bad guy has to get access to your computer before it can be exploited. Once logged on to your machine, the interloper can open a bad EMF file and use it to sneak a peek at system memory that isn’t theirs.
It seems that security bulletin MS16-074 didn’t fix the problem entirely.
Yuhong Bao (whom I’ve mentioned before, many times) sent a provocative message to the Project Zero folks. He said:
I wonder if this was supposed to be part of the cancelled February Patch Tuesday.
Something to ponder over the upcoming three-day US holiday.