The Project Zero team, Google’s zero-day bug-hunting team, has released technical details about a vulnerability in the Windows graphics component. With a proof-of-concept, the team shows the takeover of a system with the help of a TrueType font.
The security researchers at Project Zero have now published further details on the vulnerability and show the takeover with a proof-of-concept exploit. The bug was reported to the Microsoft Security Response Center back in November. Now that the corresponding security update was published on February 9th and the 90-day blocking period for the publication has passed, details about the vulnerability CVE-2021-24093 are now following.
Patch is available
Microsoft fixed the security vulnerability classified as critical with the patch day February 2021 for Windows 10 – so if you have not yet installed the update, you should do it quickly.
The trigger is a bug in the Windows interface for displaying text called Microsoft DirectWrite. The DirectWrite API is used by popular web browsers such as Chrome, Firefox and Edge as the standard font rasterizer for rendering web font glyphs. Because these web browsers use the DirectWrite API to render fonts, the vulnerability can be exploited by attackers to trigger a memory corruption state. This state then enables an attacker to remotely execute arbitrary code on the target systems.
Four Years Ago: Project Zero: Disclosed bug in Windows
This is what makes vulnerability so dangerous. Attackers could exploit CVE-2021-24093 by tricking their victims into visiting websites with appropriately manipulated TrueType fonts that could trigger a heap-based buffer overflow in the fsg_ExecuteGlyph API function. This can happen with a phishing campaign, for example.
Read More: Google Chrome Adds Group Tabs Feature
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.