- Oct 23, 2012
- 12,527
Google has recently published the details of a Windows vulnerability that’s yet to get a patch from Microsoft, which means that users running the operating system on their desktops are still exposed to attacks.
A third-party security group called 0patch and created by experts at ACROS Security released a third-party patch for the Windows gdi32.dll memory disclosure bug in an attempt to address the vulnerability until Microsoft ships a patch. This is projected to happen on March 14 when Microsoft rolls out this month’s Patch Tuesday updates.
A third-party security group called 0patch and created by experts at ACROS Security released a third-party patch for the Windows gdi32.dll memory disclosure bug in an attempt to address the vulnerability until Microsoft ships a patch. This is projected to happen on March 14 when Microsoft rolls out this month’s Patch Tuesday updates.
The gdi32.dll vulnerability, tracked as CVE-2017-0038, is the first one getting what the group calls a 0patch, which is essentially a fix for a 0day that’s yet to be patched by the vendor.
The security flaw exists in the way the EMF image format is handled by Windows, allowing an attacker to access sensitive data on a vulnerable system. Windows 7, Windows 8.1, and Windows 10 are all affected and getting today’s third-party patch.
Security concerns
Users who want to deploy this fix need to download the so-called 0patch Agent, a dedicated application that will automatically receive and deploy third-party patches for zero-days that aren’t fixed by their vendors. Once Microsoft ships its own patch, the unofficial fix is automatically removed, 0patch explains.
“Microsoft will likely fix this issue with their next Patch Tuesday (March 14), so ours is the only patch available in the World until then. We'll also try to micropatch the other 0-day revealed by Google,” the group says.
While a temporary patch certainly comes in handy especially because Microsoft sometimes needs more time to address the zero-days that are being made public, it remains to be seen how many users actually agree to install these fixes since they do not come from Microsoft itself given all the security concerns.
At the same time, it’d be interesting to see what the Redmond-based software giant believes about this new effort, so we reached out to the firm to ask whether it recommends users to install these patches or not.