Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016.
The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however.
Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. He described methods back then that would allow attackers to exploit an issue in the dynamic link library. The issue was that records failed to perform exhaustive sanitization.