Venture Zero, Google’s 0day bug-hunting group, shared technical particulars and proof-of-concept (PoC) exploit code for a essential distant code execution (RCE) bug affecting a Home windows graphics element.
The Venture Zero researchers found the vulnerability, tracked as CVE-2021-24093, in a high-quality textual content rendering Home windows API named Microsoft DirectWrite.
They reported the bug to the Microsoft Safety Response Middle in November. The corporate launched safety updates to deal with it on all weak platforms on February 9, throughout this month’s Patch Tuesday.
Impacts Home windows 10 variations as much as 20H2
The safety flaw impacts a number of Home windows 10 and Home windows Server releases as much as model 20H2, the newest launched model.
After the 90-day disclosure deadline, Venture Zero published a proof-of-concept exploit code that can be utilized to breed the bug in browsers operating on fully-patched Home windows 10 1909 programs.
“Connected is the proof-of-concept TrueType font along with an HTML file that embeds it and shows the AE character,” the researchers stated.
“It reproduces the crash proven above on a completely up to date Home windows 10 1909, in all main internet browsers. The font itself has been subset to solely embrace the defective glyph and its dependencies.”
Microsoft DirectWrite heap-based buffer overflow in fsg_ExecuteGlyph whereas processing variable TTF fonts https://t.co/EM4zxsIXwK
— Venture Zero Bugs (@ProjectZeroBugs) February 24, 2021
From heap-based buffer overflow to RCE
The DirectWrite API is used because the default font rasterizer by main internet browsers comparable to Chrome, Firefox, and Edge for rendering internet font glyphs.
Since these internet browsers use the DirectWrite API for font rendering, the safety flaw could be leveraged by attackers to set off a reminiscence corruption state which will enable them to execute arbitrary code on the targets’ programs remotely.
Attackers can exploit CVE-2021-24093 by tricking targets into visiting web sites with maliciously crafted TrueType fonts that set off a heap-based buffer overflow within the fsg_ExecuteGlyph API operate.
Google patched the same actively exploited zero-day within the widespread FreeType textual content rendering library used to focus on Chrome customers.
In November, Microsoft additionally mounted a Windows kernel zero-day bug actively exploited in focused assaults and publicly disclosed by Venture Zero one month earlier.