Microsoft has patched a critical vulnerability in Windows that can be exploited by tricking users to visit websites that use a malicious font. The flaw was found by Google’s Project Zero bug-hunting team.
The vulnerability, CVE-2021-24093, is a remote code flaw in a Windows Graphics Component that affects multiple Windows 10 versions. Microsoft, which released a patch for the flaw on Tuesday, notes the vulnerability has a CVSS score of 8.8 – considered critical.
In a web-based attack scenario, an attacker could host a website that contains a specially crafted file that is designed to exploit the vulnerability.
The researchers note the vulnerability is present in Microsoft DirectWrite, a Windows API for high-quality text rendering. The API is widely used in desktop programs, such as Chrome, Firefox and Edge on Windows.
Their analysis revealed the vulnerability arises when the impacted browsers display a font called Glyphs from web fronts.When these browsers display glyphs from web fonts, they pass on web font binary data to DirectWrite and execute it in their rendering processes.
The possibility to leverage a memory corruption for code execution extends to a remote attacker on condition that such an attacker succeeds in steering the user to content that downloads and displays a malicious font.
The researchers also note they successfully exploited the flaw in a fully patched Windows 10 installation and released a proof of concept for the exploit.
The prompt patching of the recently identified flaw reduces the risk it will be exploited. This is not to say that it won’t be abused and won’t result in computers being compromised, but nothing known about it screams that it’s going to be a ‘bad’ exploit widely abused