Project Zero, Google’s team of top security analysts, has revealed a zero-day vulnerability affecting the graphics component of Microsoft Windows.
Microsoft was informed about the bug that is claimed to have allowed attackers to take down an entire Windows fleet, simply with the help of a TrueType font. The issue is said to have its presence in a high-quality text rendering Windows interface known as Microsoft DirectWrite.
ALSO READ
Global Chip Shortage Affects Xiaomi and Realme
Project Zero published their bug report on the issue CVE-2021-24093 after Microsoft published the corresponding security update on February 9th, within the standard 90-day disclosure deadline.
The report highlights how hackers remotely breached Windows systems through the operating system’s DirectWrite API, which is used for rendering fonts by popular web browsers such as Google Chrome, Firefox, and Microsoft Edge.
“Attached is the proof-of-concept TrueType font together with an HTML file that embeds it and displays the AE character,” the researchers said.
Microsoft DirectWrite heap-based buffer overflow in fsg_ExecuteGlyph while processing variable TTF fonts https://t.co/EM4zxsIXwK
— Project Zero Bugs (@ProjectZeroBugs) February 24, 2021
“It reproduces the crash shown above on a fully updated Windows 10 1909, in all major web browsers. The font itself has been subset to only include the faulty glyph and its dependencies.”
Hackers exploited the font rendering API by triggering memory corruption in system files, which enables attackers to remotely execute code and contaminate the system’s memory.
ALSO READ
Motorola Has Numerous Smartwatches Planned for 2021
Microsoft released security updates to address the vulnerability on all platforms in February, during the company’s scheduled Patch Tuesday rollouts.
If you’re a Windows user and still haven’t installed the update, you should do so quickly to avoid any critical damage to your operating system.