CVE-2020-0744: 
vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2020-0744) exists in the Windows Graphics Device Interface (GDI) that affects how it handles objects in memory. The vulnerability was discovered in January 2020 and affects various versions of Microsoft Windows including Windows 10, Windows 8.1, and Windows 7 SP1. This security flaw allows attackers to retrieve sensitive information from targeted systems (NVD, CVE).

The vulnerability specifically exists within the StretchDIBitsImpl function and DIB scaling handling. The issue stems from improper validation of user-supplied data, which can result in an out-of-bounds read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The flaw is classified as CWE-125 (Out-of-bounds Read) (ZDI-20-552, ZDI-20-578, NVD).

The vulnerability allows attackers to disclose sensitive information from affected Windows installations. While the vulnerability itself is limited to information disclosure, attackers could potentially leverage this flaw in conjunction with other vulnerabilities to execute code in the context of the current process (ZDI-20-552).

Microsoft has released security updates to address this vulnerability. Users and administrators should apply the appropriate patches through Microsoft's security update mechanism (MSRC Advisory).