Project Zero, Google’s team of top security analysts, has revealed a zero-day vulnerability affecting the graphics component of Microsoft Windows.
Microsoft was informed about the bug that is claimed to have allowed attackers to take down an entire Windows fleet, simply with the help of a TrueType font. The issue is said to have its presence in a high-quality text rendering Windows interface known as Microsoft DirectWrite.
The report highlights how hackers remotely breached Windows systems through the operating system’s DirectWrite API, which is used for rendering fonts by popular web browsers such as Google Chrome, Firefox, and Microsoft Edge.
“Attached is the proof-of-concept TrueType font together with an HTML file that embeds it and displays the AE character,” the researchers said.
Microsoft DirectWrite heap-based buffer overflow in fsg_ExecuteGlyph while processing variable TTF fonts https://t.co/EM4zxsIXwK
— Project Zero Bugs (@ProjectZeroBugs) February 24, 2021
“It reproduces the crash shown above on a fully updated Windows 10 1909, in all major web browsers. The font itself has been subset to only include the faulty glyph and its dependencies.”
Hackers exploited the font rendering API by triggering memory corruption in system files, which enables attackers to remotely execute code and contaminate the system’s memory.
Microsoft released security updates to address the vulnerability on all platforms in February, during the company’s scheduled Patch Tuesday rollouts.
If you’re a Windows user and still haven’t installed the update, you should do so quickly to avoid any critical damage to your operating system.