- Joined
- Jan 5, 2006
- Messages
- 17,794 (2.66/day)
| System Name | AlderLake / Laptop |
|---|---|
| Processor | Intel i7 12700K P-Cores @ 5Ghz / Intel i3 7100U |
| Motherboard | Gigabyte Z690 Aorus Master / HP 83A3 (U3E1) |
| Cooling | Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans / Fan |
| Memory | 32GB DDR5 Corsair Dominator Platinum RGB 6000MHz CL36 / 8GB DDR4 HyperX CL13 |
| Video Card(s) | MSI RTX 2070 Super Gaming X Trio / Intel HD620 |
| Storage | Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2 / Samsung 256GB M.2 SSD |
| Display(s) | 23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy |
| Case | Be quiet! Silent Base 600 - Window / HP Pavilion |
| Audio Device(s) | Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533 |
| Power Supply | Seasonic Focus Plus Gold 750W / Powerbrick |
| Mouse | Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless |
| Keyboard | RAPOO E9270P Black 5GHz wireless / HP backlit |
| Software | Windows 11 / Windows 10 |
| Benchmark Scores | Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock |
Microsoft again scolded in public for not patching vulnerability.
"Google has released full details and proof-of-concept code for a vulnerability in Windows after Microsoft failed to patch the flaw within 90 days.
Google Project Zero team member Mateusz Jurczyk alerted Microsoft to the bug in the Windows graphics device interface (GDI) dynamic link library on November 16 last year.
Using a specially crafted enhanced metafile (EMF) format file - which is used for print job spooling - Jurczyk found it was possible to exploit an out-of-bounds reads bug in how device independent bitmaps (DIBs) are processed, and leak data stored in the computer's memory.
"... it is possible to disclose uninitialised or out-of-bounds heap bytes via pixel colours, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker," Jurczyk wrote.
This could include private user data, or information about the virtual address space, he said. It is possible to trigger the bug via Internet Explorer and Microsoft Office apps.
While Microsoft had issued earlier fixes for DIB handling in the GDI, the new bug has not been addressed. Google's Project Zero has a 90-day disclosure policy after bug reports even if the affected vendor has not issued a patch, in order to put pressure on companies to fix vulnerabilities.
In January 2015, Microsoft accused Google of hurting its customers after Project Zero released details of a serious flaw in Windows 8.1, instead of waiting for a fix to be released prior to disclosure.
Last October, Google again disclosed a vulnerability in Windows that it termed "particularly serious" as it was under active exploit.
It disclosed the bug just seven days after reporting it to Microsoft because Google deemed the vulnerability as critical. No fix was available at the time.
It is unclear if Google's most recent bug disclosure was triggered by Microsoft pulling this month's Patch Wednesday set of security updates last week."
https://www.itnews.com.au/news/google-outs-unfixed-windows-info-leak-flaw-451788
"Google has released full details and proof-of-concept code for a vulnerability in Windows after Microsoft failed to patch the flaw within 90 days.
Google Project Zero team member Mateusz Jurczyk alerted Microsoft to the bug in the Windows graphics device interface (GDI) dynamic link library on November 16 last year.
Using a specially crafted enhanced metafile (EMF) format file - which is used for print job spooling - Jurczyk found it was possible to exploit an out-of-bounds reads bug in how device independent bitmaps (DIBs) are processed, and leak data stored in the computer's memory.
"... it is possible to disclose uninitialised or out-of-bounds heap bytes via pixel colours, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker," Jurczyk wrote.
This could include private user data, or information about the virtual address space, he said. It is possible to trigger the bug via Internet Explorer and Microsoft Office apps.
While Microsoft had issued earlier fixes for DIB handling in the GDI, the new bug has not been addressed. Google's Project Zero has a 90-day disclosure policy after bug reports even if the affected vendor has not issued a patch, in order to put pressure on companies to fix vulnerabilities.
In January 2015, Microsoft accused Google of hurting its customers after Project Zero released details of a serious flaw in Windows 8.1, instead of waiting for a fix to be released prior to disclosure.
Last October, Google again disclosed a vulnerability in Windows that it termed "particularly serious" as it was under active exploit.
It disclosed the bug just seven days after reporting it to Microsoft because Google deemed the vulnerability as critical. No fix was available at the time.
It is unclear if Google's most recent bug disclosure was triggered by Microsoft pulling this month's Patch Wednesday set of security updates last week."
https://www.itnews.com.au/news/google-outs-unfixed-windows-info-leak-flaw-451788