Windows users appear to be again exposed to attacks, as a Google Project Zero developer published an unpatched security flaw in Microsoft's operating system.
Team member Google Zero Mateusz Jurczyk discovered a vulnerability in gdi32.dll that allows attackers to compromise Windows systems, and according to his blog, the defect was first reported to Microsoft in March of 2016.
Microsoft acknowledged the vulnerability and tried to fix it with the update of MS16-074 released in June of 2016, but as Jurczyk says, the company managed to repair only part of the problem.
Jurczyk notified Microsoft once again at 16 2016 in November, but the company did not release a new patch. So, according to the Google Project Zero vulnerability disclosure policy, the researcher disclosed the security gap after 90 days.
It may sound somewhat like this, but it seems to be the best way to put pressure on any company to be more interested in end-user security.
Microsoft has not yet commented on this new disclosure. Let's say the next scheduled update will take place on March 14, and that Patch Tuesday of this month will not be released. This means that Windows users will remain vulnerable to attacks, at least until next month.
Also, if a malicious user wants to use this vulnerability, he or she must create a special EMF file. It goes without saying that you should watch out for any files that come from unknown sources.
This is not the first time Google has published unpatched security vulnerabilities. The last time was in November 2016, which of course was not to the liking of Microsoft, which criticized Google for the revelation, saying that it puts all Windows users "at increased risk."