Google researchers revealed last weekA component vulnerability related to font rendering in Windows can cause remote attackers to execute arbitrary code on Windows machines.
This vulnerability was discovered in collaboration with Google researcher Dominik Röttsches and Google Project Zero researcher Mateusz Jurczyk. It is located in the Windows font component Directwrite. They notified the Microsoft Security Response Center in November last year that Microsoft had patched it in the security update on February 9 this year. And after 90 days, Google also announced the details of the vulnerability last week.
Google pointed out that DirectWrite is a Windows API for rendering high-quality text, and if you need to display high-quality webpage text, in addition to the font itself, the application also needs to support it in order to display beautiful fonts on Windows machines. At present, the main desktop programs, including Chrome, Edge and Firefox browsers, all support Windows Directwrite as the font rasterizer engine. When these browsers render web fonts into glyphs, they send the binary data of web fonts to DirectWrite to complete the rendering process.
Google researchers discovered that a memory corruption vulnerability in the DirectWrite function DWrite!fsg_ExecuteGlyph, numbered CVE-2021-24093, can be triggered when DirectWrite loads and rasterizes malicious TrueType fonts. In detail, greatly reducing the value of the maxp field of the TrueType font will cause the buffer allocated from the heap memory to be too small, resulting in buffer overflow. Google researchers pointed out that as long as a remote attacker entices users to connect to a web page that can download and display malicious TrueType fonts, it can cause memory damage and successfully execute arbitrary code on a Windows machine.
The CVE-2021-24093 vulnerability risk index reaches 8.8, which is a high risk. The affected products include Windows 10 1607, 1803, 1809, 1909, 2004, Windows 10 up to 20H2, and Windows Server 2016, 2019, 1909, 2004, 20H2, etc.
Project Zero also published an HTML file containing malicious TrueType fontsAs a proof-of-concept attack, Proved that memory damage can be caused in various browser environments on a fully patched Windows 10 1909 machine.
Google also patched a zero-day bug in the Freetype font in the Chrome browser in October last yearCVE-2020-15999, Can be linked with another vulnerability CVE-2020-17087 in the Windows core for sandbox escape attacks.