21 Feb 2017
Google’s Project Zero team has one main goal: to find software vulnerabilities before the black hatters do, and they are very good at their job. Once a vulnerability is found, the team then gives the company 90 days to patch the vulnerability before releasing it to the public.
On June 9, 2016, Project Zero member Mateusz Jurczyk found a vulnerability in MS Windows OS that impacts systems running anything from Vista Service Pack 2 to Windows 10 that could potentially allow a hacker to steal information right off of the memory through a vulnerability found in Windows Graphics Device Interface (GDI).
Microsoft produced a patch on June 15. However, the patch, embarrassingly for the software giant, did not fix all the GDI vulnerabilities, prompting Jurczyk to report the vulnerability once again to Microsoft, and requesting a proof-of-concept by November 16 because, as Jurczyk states, even after the patch it was still possible to “disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.”
While Microsoft had planned to release its February patch on Valentines’ Day, they announced that they were going to delay it until March, stating that “a last-minute issue that could impact some customers and was not resolved in time for [Microsoft’s] planned updates.”
Even so, the Google team released the details before the patch. Details that can be exploited by hackers.
That being said, there is no need for mass panic; while the vulnerability might be known for an entire month before a fix comes, hackers need physical access to a potential victim’s PC in order to exploit the vulnerability.