The Flaw in Windows Graphics Component Can Enable Web-Based Attacks
Microsoft has patched a critical vulnerability in Windows that can be exploited by tricking users to visit websites that use a malicious font. The flaw was found by Google’s Project Zero bug-hunting team.
The vulnerability, CVE-2021-24093, is a remote code flaw in a Windows Graphics Component that affects multiple Windows 10 versions. Microsoft, which released a patch for the flaw on Tuesday, notes the vulnerability has a CVSS score of 8.8 – considered critical.
Hackers can exploit the flaw to wage web-based attacks, Microsoft says.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” the company says.
Hackers likely would spread links to malicious websites via phishing emails or Instant Messenger, according to Microsoft.
In a report describing the vulnerability, Google researchers Dominik Röttsches and Mateusz Jurczyk describe how they identified and reported the flaw to Microsoft in November.
The researchers note the vulnerability is present in Microsoft DirectWrite, a Windows API for high-quality text rendering. The API is widely used in desktop programs, such as Chrome, Firefox and Edge on Windows.
Their analysis revealed the vulnerability arises when the impacted browsers display a font called Glyphs from web fronts. “When these browsers display glyphs from web fonts, they pass on web font binary data to DirectWrite and execute it in their rendering processes,” the Google researchers note. “Thus, the possibility to leverage a memory corruption for code execution extends to a remote attacker on condition that such an attacker succeeds in steering the user to content that downloads and displays a malicious font.”
The researchers also note they successfully exploited the flaw in a fully patched Windows 10 installation and released a proof of concept for the exploit.
Microsoft has patched several other critical vulnerabilities caused by fonts.
In April 2020, Microsoft alerted its users about three zero-day flaws located in the Adobe Type Manager Library that allowed Windows users to render different types of fonts, called PostScript Type 1, within their devices. The company patched the vulnerabilities after attackers were found exploiting two of the zero-day flaws (see: Microsoft Alert: Fresh Zero-Day Flaws Found in Windows).
“Microsoft Windows has had similar vulnerabilities for decades and few of them became very widespread,” says Roger Grimes, defense evangelist at security firm KnowBe4.
The prompt patching of the recently identified flaw reduces the risk it will be exploited, he says. “This is not to say that it won’t be abused and won’t result in computers being compromised, but nothing known about it screams that it’s going to be a ‘bad’ exploit widely abused.”