Windows users seem to be exposed to attacks again, as a developer of Google Project Zero released an unpatched security gap on operating system of Microsoft.
Google Project Zero team member Mateusz Jurczyk discovered one vulnerability in gdi32.dll that allows attackers to compromise Windows systems, and according to his blog, the flaw was first reported to Microsoft in March 2016.
Microsoft acknowledged the vulnerability and tried to fix it with the update of MS16-074 released in June of 2016, but as Jurczyk says, the company managed to repair only part of the problem.
Jurczyk notified Microsoft once again at 16 2016 in November, but the company did not release a new patch. So, according to the Google Project Zero vulnerability disclosure policy, the researcher disclosed the security gap after 90 days.
It may sound somewhat like this, but it seems to be the best way to put pressure on any company to be more interested in end-user security.
Microsoft has not yet commented on this new disclosure. Let's say the next scheduled update will take place on March 14, and that Patch Tuesday of this month will not be released. This means that Windows users will remain vulnerable to attacks, at least until next month.
Also, if a malicious user wants to use this vulnerability, he or she must create a special EMF file. It goes without saying that you should watch out for any files that come from unknown sources.
This is not the first time Google has published unpatched security vulnerabilities. The last time was in November 2016, which of course was not to the liking of Microsoft, which criticized Google for the revelation, saying that it puts all Windows users "at increased risk."
