Google Publishes PoC Code For Critical Vulnerability in Windows 10

Google's Project Zero security team has published technical details and a PoC code to exploit a remote code execution vulnerability in a Windows graphical component. Researchers have discovered a vulnerability ( CVE-2021-24093 ) in DirectWrite - Microsoft's application programming interface (API) for formatting text on the screen and rendering individual glyphs - Microsoft.

The issue affects multiple editions of Windows 10 and Windows Server older than version 20H2.

After the 90-day disclosure deadline, Project Zero released a PoC test code to exploit the vulnerability to reproduce the issue in browsers running on fully patched Windows 10 (1909) systems.

The DirectWrite API is used as the default font rasterizer in major web browsers such as Chrome, Firefox, and Edge to render web font glyphs. Because browsers use the DirectWrite API to render fonts, attackers could exploit the vulnerability to cause a memory corruption state that could allow them to remotely execute arbitrary code on target systems.

Attackers can trick a victim into visiting websites with maliciously crafted TrueType fonts that cause a heap-based buffer overflow in the fsg_ExecuteGlyph API function.

Experts reported the issue to Microsoft Security Response Center last November. The company released security updates to address this issue in February this year.

Previous Post Next Post