Better make sure your Windows 10 patches are up to date, as Google’s Project Zero has just released Proof of Concept code for a just-patched Windows 10 flaw which can be exploited by simply visiting a web page.
Microsoft DirectWrite heap-based buffer overflow in fsg_ExecuteGlyph while processing variable TTF fonts https://t.co/EM4zxsIXwK
— Project Zero Bugs (@ProjectZeroBugs) February 24, 2021
The issue is a flaw in Microsoft DirectWrite, the Windows font renderer which is also used in all browsers, and which is vulnerable to specially-crafted TrueType fonts which can cause it to corrupt memory and crash, which can then be used to run code at kernel privileges.
“Attached is the proof-of-concept TrueType font together with an HTML file that embeds it and displays the AE character,” Google noted. “It reproduces the crash shown above on a fully updated Windows 10 1909, in all major web browsers. The font itself has been subset to only include the faulty glyph and its dependencies.”
The flaw, written up as CVE-2021-24093, was just patched on the 9th February 2021, meaning any users who have delayed installing this month’s Cumulative Updates are still vulnerable.
Read more about the issue at Google here, and patch your computer by Checking for Updates in Settings.