Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Another Windows 0day appears – gdi32.dll heap boundary error

    Posted on February 17th, 2017 at 11:13 woody Comment on the AskWoody Lounge

    As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern.

    Mateusz Jurczyk at Google Project Zero discovered a memory disclosure vulnerability and notified Microsoft on Nov. 17. Project Zero has an automatic 90-day disclosure deadline: If the vendor (in this case Microsoft) doesn’t fix the hole that’s discovered, it will be automatically disclosed 90 days later.

    Sure enough, 90 days passed and, on Feb. 14, the timer rang and the full disclosure popped out, including exploit code.

    This isn’t a huge bug. The bad guy has to get access to your computer before it can be exploited. Once logged on to your machine, the interloper can open a bad EMF file and use it to sneak a peek at system memory that isn’t theirs.

    It seems that security bulletin MS16-074 didn’t fix the problem entirely.

    Yuhong Bao (whom I’ve mentioned before, many times) sent a provocative message to the Project Zero folks. He said:

    I wonder if this was supposed to be part of the cancelled February Patch Tuesday.

    Something to ponder over the upcoming three-day US holiday.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Another Windows 0day appears – gdi32.dll heap boundary error

    This topic contains 9 replies, has 5 voices, and was last updated by  Noel Carboni 8 months ago.

    • Author
      Posts
    • #95019 Reply

      woody
      Da Boss

      As 0day bugs go, this isn’t an earth-shattering development. But it’s still enough to cause concern. Mateusz Jurczyk at Google Project Zero discovered
      [See the full post at: Another Windows 0day appears – gdi32.dll heap boundary error]

      2 users thanked author for this post.
    • #95034 Reply

      Noel Carboni
      AskWoody MVP

      Forgive me, but if this has been known for 3 months how is it technically a “0day”?

      According to Google:

      A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.

      (bold emphasis mine)

      It might just be that Microsoft can’t fix it without a system redesign, and they realize that doing THAT in a hurry could cause serious problems and have weighed that knowledge against the risk of this bug causing serious problems.

      It’s hard for me to see how Project Zero can be justified in releasing exploit code to the world.

      Personally I dislike the term “zero day”, which is clearly intended to strike fear into the hearts of people who don’t take the time to know the details.

      Just don’t download and run malware and you’ll be fine.

      -Noel

      1 user thanked author for this post.
      • #95081 Reply

        anonymous

        “Just don’t download and run malware and you’ll be fine.” Well my friend. That’s easier said than done. Some people don’t know how to stay safe online. Also even if you’re the most careful person in the world it is still possible to slip up.

        Also a legit site or program could be in fact compromised. Say one day AskWoody.com one day gets compromised. We could be redirected to a malware download. You could download what you think is a legit program but is indeed malware. Or you download an actual legit program from a legit source that’s been hacked so your download is a malware infested version of the thing you’re downloading.

        There are compromised open wi-fi hotspots among other things. My point is Noel, there’s a lot more than simply not downloading malware and running it.

        2 users thanked author for this post.
      • #95651 Reply

        b
        AskWoody Lounger

        Woody’s definition of zero-day: https://www.askwoody.com/forums/topic/pwnfest-brings-two-zero-day-system-level-hacks-of-edge/#post-23056

        EDITED for content. Please follow the Lounge Rules posted at the bottom.

        • This reply was modified 8 months ago by  PKCano.
    • #95043 Reply

      rc primak
      AskWoody Lounger

      I doubt that this one was in the now-nixed Feb. 2017 MS Updates CU. Nor the Security Patch.

      -- rc primak

      • This reply was modified 8 months ago by  rc primak.
    • #95218 Reply

      Noel Carboni
      AskWoody MVP

      My point is Noel, there’s a lot more than simply not downloading malware and running it.

      My point in return is that, while I agree people out there will most certainly do things they shouldn’t (and everyone can make mistakes), it IS possible to set oneself up with a security environment + conscientious operation of the computer that really does keep you away from malware.

      And it doesn’t require a lot of ongoing effort to maintain. Not surprisingly, the environment I’m describing – which I have working here – is pretty different from what people consider a “typical” setup with a virus scanner checking everything at the last possible instant, and it knocks your chances of becoming infected WAY down.

      If I were to want to download software, I would start by evaluating, “do I really need this?” Conscientious computer users don’t just run anything they see to “see what happens”. That’s like seeing if a gun is loaded by pointing it at your head and pulling the trigger.

      If I were to decide, “yes, I want this”, then I would do some online research. Google will quickly turn up claims of scam, and VirusTotal.com will check sites for a malicious nature.

      Beyond the above, it would not even begin to download if it was coming from one of the tens of thousands of malware sites I have blacklisted from DNS resolution. The process that manages the list automatically gathers data from sources worldwide every day, so it’s always up to date.

      Once I was able to download this hypothetical application, I most certainly would check it with local anti-malware software (e.g., MalwareBytes).

      Assuming it passed a scan, I’d install and vet it in a throwaway virtual machine that can be restored in seconds to a prior snapshot. My virtual machine test environments are instrumented. I know what’s being done and what sites are being contacted.

      Then, once I was sure of its function, I’d make the final decision whether to install and run it on my critical workstation.

      Regarding things that run from the web, it IS possible to configure a browser not to just run any old thing it comes across online. Coupled with the blacklists that’s pretty effective at keeping infections from web pages at bay, and surprisingly the content is still available. Then if a previously trusted site becomes compromised, your system isn’t just going to infect itself.

      If you’re not protected by blacklists, configuration of more secure browser settings, and doing conscientious computing then I can see how you might think that “not downloading malware” could be a mysterious and complicated thing. It’s not, really, and I can assure you it’s quite doable.

      -Noel “malware-free going all the way back”

      • #95263 Reply

        anonymous

        But keep in mind most people are gonna know how to or have the patience to setup virtual machines or configure DNS blacklists. Most don’t even want to install Windows Updates. Most people don’t even know there’s a lot of things they can do to keep themselves safe. That’s the point I was trying to make. My response wasn’t talking about you specifically Noel. Just most people in general who don’t know anything about this stuff.

        2 users thanked author for this post.
        • #95673 Reply

          Noel Carboni
          AskWoody MVP

          I appreciate that. I just feel it’s important to inform “most people” how things actually could be, so they don’t believe they have to settle for “good enough”. Frankly, the “run of the mill” ways of protecting systems (i.e., invite malware in and at the last minute try to block it) haven’t been all that good, historically.

          Not EVERYONE lacks the patience or prowess to do more to ensure their security, and I think those reading this site might be especially inclined to want more info. How does an uninformed person become informed if they don’t know doing things better is even possible?

          -Noel

          2 users thanked author for this post.
          • #95682 Reply

            anonymous

            @noel-carboni, Could you reveal how to set up your superior anti-malware system and keep it updated automatically?

            • #95839 Reply

              Noel Carboni
              AskWoody MVP

              I’m happy to share. What would you like to know about it?

              My blacklisting strategy is pretty simple: It’s based on returning “not found” DNS responses from an open source DNS proxy package I’ve modified to increase list capacity. I run the package on a server, but it can be run on the same machine that uses it. It’s not a very heavy resource user.

              I run a script on a Task Scheduler schedule that retrieves publicly available malware / tracking / adware site and domain lists from various online sources once a day and creates two master lists: Specific blacklisted servers (today a bit over 60,000 entries), and wildcarded domains (today a bit over 24,000 entries).

              If a site name is blacklisted, it’s address is simply returned as “not found” and no browser or application will be able to contact it.

              If a site name is not in the blacklists it’s considered legit and is forwarded to real online DNS servers (I use OpenDNS), then the resolved address is returned to the originator.

              This is all done at millisecond time scales. The net gain from sites not loading all the ads/tracking junk far outweighs the additional few milliseconds to search the lists and forward requests.

              If you’d like to follow my lead please feel free to read more and download the software I use here:

              http://win10epicfail.proboards.com/post/2284/thread

              I’m not saying this isn’t geeky – it’s incredibly so. Maybe one day I’ll polish it up into some kind of turnkey package. But it works – and really well.

              -Noel

              1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Another Windows 0day appears – gdi32.dll heap boundary error

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: