Network Security, Patch/Configuration Management, Vulnerability Management

Third party develops temporary patch for Microsoft flaw that Google disclosed

Share

Security research firm ACROS Security has issued a third-party patch for a Microsoft vulnerability that Google disclosed last month after Microsoft failed to issue a patch within Google's imposed 90-day deadline.

Officially designated as CVE-2017-0038, the vulnerability involves the mishandling of Device Independent Bitmaps by EMF metafiles implemented within the Windows Graphic Component GDI library. According to ACROS Security's 0patch blog, "Attackers can exploit this flaw to steal sensitive data that an application holds in memory or as an aid in other exploits when ASLR [address space layout randomization] needs to be defeated."

To address this concern, ACROS is making available a free copy of its patch for Windows 10 (64-bit), Windows 8.1 (64-bit), and Windows 7 (64bit and 32bit). The patch will serve as a temporary solution until Microsoft releases its own fix.

Microsoft was originally going to address the problem in February, before cancelling its Patch Tuesday update for that month due to what the company described as a "last-minute issue that could impact some customers and was not resolved in time for our planned updates..."

A Monday blog post from Bitdefender reported on the resulting ACROS patch, noting that Microsoft previously attempted to address this bug in June 2016. However, in November 2016 Google researcher Mateusz Jurczyk reported that the fix was incomplete. Google subsequently disclosed extensive details about the bug in February.

Third party develops temporary patch for Microsoft flaw that Google disclosed

Security research firm ACROS Security has issued a third-party patch for a Microsoft vulnerability that Google disclosed last month after Microsoft failed to issue a patch within Google's imposed 90-day deadline.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.