Last week they’ve published details about a bug in Windows GDI (Graphics Device Interface) (gdi32.dll). Windows GDI is a library that enables applications to use graphics and formatted text on both the video display and a local printer.
TYPE CONFUSION ISSUES
Google Project Zero researcher Ivan Fratric discovered bug , which is tracked by the CVE-2017-0037 identifier and is a type confusion.
It is kind of security flaw that can allow an attacker to execute code on the affected machine.
Details about CVE-2017-0037 are available in Google’s bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker’s skill level, more dangerous exploits could be built.
Besides this, CVE-2017-0038 allows an attacker to read the content of the user’s memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents.
This vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online via a .docx document. This document contains the specially crafted EMF file.
CONSEQUENCES OF FEBRUARY PATCH TUESDAY CANCELLATION
Besides the Edge and IE bug , Microsoft products are also plagued by two other severe security flaws. One affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions.
The good news is that these are unpatched flaws and not zero-days, as no incidents have been reported about attackers.
The Google security expert didn’t provide any mitigation advice against attacks leveraging this security bug.
Microsoft said last week it intended to ship the February Patch Tuesday updates during March’s Patch Tuesday, scheduled for March 15.
Google Project Zero team also detailed 16 security flaws that Microsoft had patched in the Windows NVIDIA Driver in the past.