Google Details Massive Zero-Day Security Vulnerability in Windows 10

Project Zero, Google’s team of top security analysts, has revealed a zero-day vulnerability affecting the graphics component of Microsoft Windows.

Microsoft was informed about the bug that is claimed to have allowed attackers to take down an entire Windows fleet, simply with the help of a TrueType font. The issue is said to have its presence in a high-quality text rendering Windows interface known as Microsoft DirectWrite.


ALSO READ

Global Chip Shortage Affects Xiaomi and Realme


Project Zero published their bug report on the issue CVE-2021-24093 after Microsoft published the corresponding security update on February 9th, within the standard 90-day disclosure deadline.

The report highlights how hackers remotely breached Windows systems through the operating system’s DirectWrite API, which is used for rendering fonts by popular web browsers such as Google Chrome, Firefox, and Microsoft Edge.

“Attached is the proof-of-concept TrueType font together with an HTML file that embeds it and displays the AE character,” the researchers said.

“It reproduces the crash shown above on a fully updated Windows 10 1909, in all major web browsers. The font itself has been subset to only include the faulty glyph and its dependencies.”

Hackers exploited the font rendering API by triggering memory corruption in system files, which enables attackers to remotely execute code and contaminate the system’s memory.


ALSO READ

Motorola Has Numerous Smartwatches Planned for 2021


Microsoft released security updates to address the vulnerability on all platforms in February, during the company’s scheduled Patch Tuesday rollouts.

If you’re a Windows user and still haven’t installed the update, you should do so quickly to avoid any critical damage to your operating system.



close
>