Google’s cybersecurity research at Google Project Zero disclosed the details of a recently patched Windows vulnerability, tracked as CVE-2021-24093, that can be exploited for remote code execution in the context of the DirectWrite client.The Google researchers reported the vulnerability to Microsoft in late November and the bug report was made public on Wednesday, roughly two weeks after Microsoft released a patch.
DirectWrite is a Windows API designed to provide supports measuring, drawing, and hit-testing of multi-format text.The researchers tested their exploit on a fully patched Windows 10 in all major browsers. In addition to technical details, they released a proof-of-concept (PoC) exploit.
The vulnerability was discovered by Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero,
The flaw was addressed with the release of February 2021 Patch Tuesday updates.The issue affects the Windows graphics component in all operating systems and received a CVSS score of 8.8.
An attacker could exploit the flaw by tricking the victims into visiting a specially crafted site hosting a file set up to trigger the issue.The CVE-2021-24093 vulnerability is a DirectWrite heap-based buffer overflow that resides in the processing of a specially crafted TrueType font.
“We have discovered a crash in the DWrite!fsg_ExecuteGlyph function when loading and rasterizing a malformed TrueType font with a corrupted “maxp” table. Specifically, it was triggered after changing the value of the maxPoints field from 168 to 0, and the maxCompositePoints value from 2352 to 3 in our test font. We believe that this causes an inadequately small buffer to be allocated from the heap.” reads the report published by Google.However, based on its exploitability assessment, Microsoft does not believe the vulnerability will be exploited in the wild