Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Dr. Roy Schestowitz

2015-06-25 10:28:47 UTC
Modified: 2015-06-25 10:28:47 UTC

Turning the alphabet into a security nightmare

Alphabet

Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn't done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft's reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, "Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?"

Proprietary software is so bad that even fonts are a huge risk. This isn't the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: "The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0." ⬆

"Our products just aren't engineered for security."

--Brian Valentine, Microsoft executive

Recent Techrights' Posts

Writing and Coding Isn't Always Enough: Last year we had to assume a role we didn't have before: litigants
Autumn Has Come: Autumn should be exciting in all sorts of ways; it'll also mark our anniversary
Gemini Links 01/09/2025: News Corp. WSJ and A Month With NixOS: Links for the day
Slopfarms Already Peaked, They Will Die When Slop Companies Run Out of Money to Borrow: slopfarms will lack an actual "engine"
“Sideloading” Never Killed Anybody: There are many online discussions this week about the misnomer "sideloading"
Slopwatch: Google News as FUD Vector Against Linux and Plagiarism Enhancer, Serial Slopper (SS) Uses LLMs to Googlebomb "Linux": Slop destroys the Web not just by screwing with search engines and helping plagiarists. It's also responsible for de facto DDoS attacks...
Links 01/09/2025: "Attacks on Science" and China's "Soft Power" Grows: Links for the day
Links 01/09/2025: Fresh Backlash Against Slop and "Norway’s Electricity Crisis is About to Hit Britain": Links for the day
Links 01/09/2025: Catching Up (Mostly via Deutsche Welle), "Windows TCO" Effect in UK: Links for the day
Gemini Links 01/09/2025: Linguistic Barriers and "Web 1.0 Hosting": Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, August 31, 2025: IRC logs for Sunday, August 31, 2025
The UEFI 9/11 - Part IV - External Interference: They all seem to be playing a role in crushing Software Freedom and self-determination for users
Links 31/08/2025: Baggage Claim Scams, an Insurrectionist’s War on Culture, and a Sudden Robotics Hype: Links for the day
Gemini Links 31/08/2025: Reviewing Netsurf and Slightly Less Historic Ada Design: Links for the day
IBM Has Taken Control of GNOME: Don't expect a successor to be found any time soon
Links 31/08/2025: Google Gmail Data Breach and LF Puff Pieces for Pay: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, August 30, 2025: IRC logs for Saturday, August 30, 2025
This is What Google News Has Become: Moments ago
The Slopfarm WebProNews Has Turned Google News Into a Laughing Stock Full of Plagiarism by Slop: If Google News dies of neglect, that's one thing. It's starting to seem like active neglect by Google is a form of participation.
Do What is Moral, as What's Legal Isn't Always Moral: Do what's objectively moral, no matter the costs and the risks
Slopwatch: Google News Assisting Plagiarism and Anti-Linux FUD, Serial Slopper Rips Off Linux-Centric Journalists: This makes the Web a much worse place and lessens the incentive to do journalism
Links 30/08/2025: NVIDIA Fakes Results to Hide a Bubble Already in Implosion Phase, Data Breaches Galore, Important Win for Workers' Union in Canada: Links for the day
Representing and Speaking for Animals: If I ever choose to take this matter to tribunal with animals-centric NGOs on my side, it'll get some press coverage for sure
The UEFI 9/11 - Part II - Campaign of Censorship and Defamation Against Critics: In dictatorships, humour serves an important role. It's tragic.
In Kazakhstan, Yandex Estimated to be 20 Times Bigger Than Microsoft: Bing is measured as down this month
Shutterstock Not Enough? The Register MS Uses Slop Images in Articles (Seemingly More and More Over Time): Cost-saving trajectory amid office shutdown?
Gemini Links 30/08/2025: Games, PostmarketOS, and Slop: Links for the day
Links 30/08/2025: Imgur Uproar and Many Ukraine Updates (Mediazona Reports Over 200,000 Russians Died for Putin): Links for the day
How Not to Build Software: code forges that need a Web browser perhaps fill some 'niche' demand
GAFAM and "MATA": The use of dark humour there hopefully helps illuminate what a lot of "modern" technology became like and how it interacts with human civilisation (to what ends and whose gain)
Birds Are Not "Pests and Vermin", Privacy is Not a Crime, and GNU/Linux is Not 'Hacking Platform': I could not help but think of Free software analogies
The Sites Should Be Very Fast Again: That issue is now resolved
Flying in 2025: worse than ever before
Activists, Including Technical Activists, Need Not Pursue Affirmation: Techrights doesn't play or participate in a "popularity contest"
The UEFI 9/11 - Part III - Chaos is Scheduled to Happen Second Thursday of September (No Matter What the Microsofters Tell You): The clock is ticking
Downplaying the Impact of "UEFI 9/11" is a Losing Strategy: we won't publish much whilst on holiday
Government Sites Should Run Free Software: Not proprietary bloatware with buzzwords
LLM Slopfarms Take No Breaks: When people run sites by bots they don't need to worry about "breaks"
GNOME Having a Meltdown Again: Thanks and farewell to Steven Deobald
Gemini Links 30/08/2025: Low Tech and Hunchbin 1.0.6: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, August 29, 2025: IRC logs for Friday, August 29, 2025