Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Dr. Roy Schestowitz

2015-06-25 10:28:47 UTC
Modified: 2015-06-25 10:28:47 UTC

Turning the alphabet into a security nightmare

Alphabet

Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn't done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft's reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, "Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?"

Proprietary software is so bad that even fonts are a huge risk. This isn't the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: "The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0." ⬆

"Our products just aren't engineered for security."

--Brian Valentine, Microsoft executive

Recent Techrights' Posts

KillerStartups.com is an LLM Spam Site That Sometimes Covers 'Linux' (Spams the Term): It only serves to distract from real articles
Gemini Links 21/11/2024: Alphabetising 400 Books and Giving the Internet up: Links for the day
Links 21/11/2024: TikTok Fighting Bans, Bluesky Failing Users: Links for the day
Links 21/11/2024: SpaceX Repeatedly Failing (Taxpayers Fund Failure), Russian Disinformation Spreading: Links for the day
Richard Stallman Earned Two More Honorary Doctorates Last Month: Two more doctorate degrees
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Wednesday, November 20, 2024: IRC logs for Wednesday, November 20, 2024
Gemini Links 20/11/2024: Game Recommendations, Schizo Language: Links for the day
Growing Older and Signs of the Site's Maturity: The EPO material remains our top priority
Did Microsoft 'Buy' Red Hat Without Paying for It? Does It Tell Canonical What to Do Now?: This is what Linus Torvalds once dubbed a "dick-sucking" competition or contest (alluding to Red Hat's promotion of UEFI 'secure boot')
Links 20/11/2024: Politics, Toolkits, and Gemini Journals: Links for the day
Links 20/11/2024: 'The Open Source Definition' and Further Escalations in Ukraine/Russia Battles: Links for the day
[Meme] Many Old Gemini Capsules Go Offline, But So Do Entire Web Sites: Problems cannot be addressed and resolved if merely talking about these problems isn't allowed
Links 20/11/2024: Standing Desks, Broken Cables, and Journalists Attacked Some More: Links for the day
Links 20/11/2024: Debt Issues and Fentanylware (TikTok) Ban: Links for the day
Jérémy Bobbio (Lunar), Magna Carta and Debian Freedoms: RIP: Reprinted with permission from Daniel Pocock
Jérémy Bobbio (Lunar) & Debian: from Frans Pop to Euthanasia: Reprinted with permission from Daniel Pocock
This Article About "AI-Powered" is Itself LLM-Generated Junk: Trying to meet quotas by making fake 'articles' that are - in effect - based on plagiarism?
Recognizing invalid legal judgments: rogue Debianists sought to deceive one of Europe's most neglected regions, Midlands-North-West: Reprinted with permission from Daniel Pocock
Google-funded group distributed invalid Swiss judgment to deceive Midlands-North-West: Reprinted with permission from Daniel Pocock
Gemini Links 20/11/2024: BeagleBone Black and Suicide Rates in Switzerland: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Tuesday, November 19, 2024: IRC logs for Tuesday, November 19, 2024
Links 19/11/2024: War on Cables?: Links for the day
Gemini Links 19/11/2024: Private Journals Online and Spirituality: Links for the day
Drew's Development Mailing Lists and Patches to 'Refine' His Attack Pieces Against the FSF's Founder: Way to bury oneself in one's own grave...
The Free Software Foundation is Looking to Raise Nearly Half a Million Dollars by Year's End: And it really needs the money, unlike the EFF which sits on a humongous pile of oligarchs' and GAFAM cash
What IBMers Say About IBM Causing IBMers to Resign (by Making Life Hard/Impossible) and Why Red Hat Was a Waste of Money to Buy: partnering with GAFAM
In Some Countries, Desktop/Laptop Usage Has Fallen to the Point Where Microsoft and Windows (and Intel) Barely Matter Anymore: Microsoft is the next Intel basically
[Meme] The Web Wasn't Always Proprietary Computer Programs Disguised as 'Web Pages': The Web is getting worse each year
Re-de-centralisation Should Be Our Goal: Put the users in charge, not governments and corporations in charge of users
Gemini Links 19/11/2024: Rain Music, ClockworkPi DevTerm, and More: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Monday, November 18, 2024: IRC logs for Monday, November 18, 2024