Google's Project Zero exposed security issues in Windows, Internet Explorer and Edge by Google that Microsoft is yet to fix until mid-March, so a third party, 0patch decided to step in to help out and issued a fix for a gdi32.dll vulnerability found in Windows 10.
Google Project Zero is a group of Google security experts who look for flaws and vulnerabilities in the operating systems and programs most commonly used to communicate to companies and have them solved. However, this group only offers developers 90 days to solve the detected failures and, if they do not, they will be made public, exposing the company and, even worse, endangering users. Google says Project Zero exists to promote openness and to push software providers to solve problems.
The bug is very complicated to exploit and also requires physical access to the computer, so Microsoft did not consider it a priority and delayed the release of the patch.
The flaw was discovered in November 2016 and was reported to the company for it to solve. This vulnerability is specifically found in the Windows gdi32.dll library and can allow any hacker to collect victim information through any GDI client, for example, with the Internet Explorer browser.
The team behind 0patch’s idea is ACROS security and rather than just patching a single vulnerability as a one-off, it wants to create a new method of addressing security issues -- 0patching. This is a new technique that will allow vendors to deploy microscopic patches for vulnerabilities in their products, reducing the time between vulnerability discovery and patch application.
The first patch to be produced is for CVE-2017-0038. 0patch updates will move beyond this flaw and will be released when a vendor has yet to solve an issue.
0patch is a free tool that allows us to protect, at memory level, different known vulnerabilities. As the security patches are applied directly to memory, in addition, we will not have problems when installing the official patches when they arrive since the original files at no time are modified.
To protect us, all we have to do is download the client from its main web page and install it on our computer. Once opened, it will analyse our system and apply any patches we do not have installed, such as those of this vulnerability.
Renata Stupar from ACROS Security said, “Microsoft will likely fix the patch on Tuesday (March 14) so ours is the only patch available in the World until then. We'll also try to micro patch the other 0-day revealed by Google.” This means that the 0patch solution would be temporary until Microsoft issues its own fix.
As of March 14, hopefully, we will not receive the vulnerability patch from the GDI library, registered as CVE-2017-0038.
The company suspended February’s Patch Tuesday because of an unnamed flaw that could not be solved in time. While Microsoft has not said what the issue was, it could have been the Windows 10 problem found by Google Project Zero.
There is, however, a trust issue on whether users of Windows are willing to place their trust in an unknown third party to address security issues is something that remains to be seen.