A team of information security specialists Project Zero from Google has published technical details and an exploit (PoC code) for exploiting a remote code execution critical bug in a graphical component of Windows 10.
Researchers have discovered a vulnerability (CVE-2021-24093) in DirectWrite – Microsoft’s application programming interface (API) for formatting text on the screen and rendering individual glyphs – Microsoft.The issue affects multiple editions of Windows 10 and Windows Server older than version 20H2.
After the 90-day disclosure deadline, Project Zero released a PoC test code to exploit the vulnerability to reproduce the issue in browsers running on fully patched Windows 10 (1909) systems.
The DirectWrite API is used as the default font rasterizer in major web browsers such as Chrome, Firefox, and Edge to render web font glyphs.
Because browsers use the DirectWrite API to render fonts, attackers could exploit the vulnerability to cause a memory corruption state that could allow them to remotely execute arbitrary code on target systems.
Attackers can trick a victim into visiting websites with maliciously crafted TrueType fonts that cause a heap-based buffer overflow in the fsg_ExecuteGlyph API function.
Experts reported the issue to Microsoft Security Response Centre last November. The company released security updates to address this issue in February this year.
Let me also remind you that we reported that Google Project Zero warns that Fresh Windows LSASS Patch is Ineffective.
