A Google security researcher has revealed a vulnerability in Windows for which Microsoft has not released a patch yet. The issue allows attackers to steal sensitive data (such as private userdata) from the system’s memory.
The vulnerability resides in the Microsoft Graphics Component (GDI) that is part of Windows versions ranging from Vista to Windows 10. The vulnerability can be exploited if the victim opens a specially crafted malicious EMF image that can be embedded in a Word document or HTML page.
On the 17th of November last year Google reported the vulnerability to Microsoft. Google gives software developers 90 days to fix the issue. If 90 days elapse without a broadly available patch, then the issue will automatically become visible to the public. In this case not only information about the vulnerability became public, the Google researchers also made a proof-of-concept to demonstrate how the leak works.
It’s not the first time a vulnerability is found in the GDI component. Microsoft patched a similar issue in December last year. It’s also not the first time Google researchers make a Windows vulnerability public before it’s patched. There are two known cases of cyber criminals abusing these unpatched disclosed vulnerabilities.