Google disclosed a Windows vulnerability that could allow someone to collect sensitive information via Internet Explorer and other software. The bug was originally shared with Microsoft in November, and it's been publicly revealed now because Google's discloses threats 90 days after they were reported.
Here's the heart of the problem, as told in Google's report:
The proof-of-concept file attached here consists of a single EMR_SETDIBITSTODEVICE record (excluding the header/EOF records), which originally contained a 1x1 bitmap. The dimensions of the DIB were then manually altered to 16x16, without adding any more actual image data. As a consequence, the 16x16/24bpp bitmap is now described by just 4 bytes, which is good for only a single pixel. The remaining 255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space. I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.
This wouldn't be the first time Google's disclosed vulnerabilities before Microsoft fixed them. Something similar happened in 2014 when Microsoft waited two days to address a security issue Google revealed to the public. That delay was caused by Microsoft's previously unfailing commitment to "Patch Tuesday." The company usually releases patches on the same weekday even if waiting makes Windows users vulnerable to public security flaws.
Yet the company suddenly announced earlier this month (opens in new tab) that all of its security patches would be delayed until the Patch Tuesday scheduled for March. Now another member of Project Zero, the vulnerability disclosure platform on which this problem was revealed, wondered if this bug might have been fixed in February if Microsoft hadn't delayed that month's security patches until March. Here's what we wrote about Microsoft's security patch delay:
The issue here is not that one of Microsoft's patches was broken and it had to delay it. That is quite understandable and it likely happens every single month. The difference this time is that Microsoft has to delay an entire batch of security fixes because a single one is apparently broken. We contacted Microsoft asking further questions about this, but the company refused to offer additional comments on the issue, referring us back to the official statement.
Now we know at least one vulnerability has been publicly disclosed without a security patch ready to address the problem. We don't know if the issue would have been resolved in one of the February patches--Microsoft doesn't exactly share its security plans with the world--or if it would have remained a problem either way. But now more than ever, Microsoft's insistence on bundling patches (and delaying that bundle) seems like an imperfect setup.
"Our top priority is to provide the best possible experience for customers in maintaining and protecting their systems," a Microsoft spokesperson said in a statement to Tom's Hardware. "We discovered a last minute issue that could impact some customers and was not resolved in time for our planned February security updates. We will deliver the updates as part of the next Update Tuesday on March 14." Microsoft, it seems, will be staying mum.