Windows gdi32.dll security vulnerability fixed by third party 0patch

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure

Recently, there’s hardly surprise in hearing that a company is having security trouble. One of the latest victims is Microsoft itself, with recent vulnerabilities discovered in multiple Microsoft services including Windows along with Internet Explorer and Microsoft Edge browsers.

Microsoft is in Project Zero’s crosshairs

Microsoft’s issues have been picked up by Project Zero, a group of Google employees that seek to find critical security issues within software and inform its developers about it. If developers do not take action in a given amount of time, Project Zero proceeds to make the information public, exposing the developers and protecting the users.

Before Microsoft could come up with a solution (which it seems to have been trying to, given the recent delay of the latest Patch Tuesday security releases), another organization took action and provided a solution for the problem.

The salvation comes from a fresh “fixer” in the software industry known as 0patch. They have created a fix with the same name that targets zero-day threats including the gdi32.dl file which has been causing Microsoft headaches. 0patch’s move is fortuitous as there wasn’t any sign from Microsoft that it would be releasing any security updates until March.

So, who is responsible for the solution?

The developer behind 0patch, ACROS, is aiming to create a solution that will remain relevant for all threats as it will provide new and universal approaches to combating threats— they don’t want to provide just a temporary solution that works against a specific threat. Here is what ACROS stated:

“Microsoft will likely fix this issue with their next Patch Tuesday (March 14), so ours is the only patch available in the World until then. We’ll also try to micropatch the other 0-day revealed by Google.

While 3rd-party patches are highly valuable for such zero-days, we still expect most 3rd-party patches to cover the “security update gap” where an official fix is already available but is being tested,  leaving users exposed to “already patched vulnerabilities.”

It remains to be seen…

Will this approach be greeted by the Windows user community? After all, placing their security in the hands of a third-party developer would be an important and even critical decision for Windows users.


This article covers:Topics: