Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Dr. Roy Schestowitz

2015-06-25 10:28:47 UTC
Modified: 2015-06-25 10:28:47 UTC

Turning the alphabet into a security nightmare

Alphabet

Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn't done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft's reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, "Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?"

Proprietary software is so bad that even fonts are a huge risk. This isn't the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: "The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0." ⬆

"Our products just aren't engineered for security."

--Brian Valentine, Microsoft executive

Recent Techrights' Posts

Microsoft Windows Falls to All-Time Low of ~60% in Switzerland, GNU/Linux Among Top Gainers: What will it take for mainstream media (not just geeks' site) to cover it?
The Wars Aren't Ending, Now We See GAFAM Facilities Being Bombed: This is becoming a tech issue
Links 06/04/2026: Turning 34, Throwing Things Away, and Printing in GNU/Linux: Links for the day
Links 06/04/2026: Ex-Microsoft Engineer Explains Why Azure Fails, Germany Prepares for War: Links for the day
EPO "Cocaine Communication Manager" - Part XI - EPO Strike Enters Its Second Week, EPO Sheds Off Qualified Staff to Make Way for Nepotists: More than six months ago the "Cocaine Communication Manager" got arrested for cocaine use
Another Microsoft Outlook Downtime: Microsoft has sloppy code, it's not something suitable for mission-critical things
Week 2 of April IBM Layoffs Accelerate Based on Rumours: "Heard about Layoff at IBM"
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, April 05, 2026: IRC logs for Sunday, April 05, 2026
Culture of Harassment Inside Microsoft, Says Former Director at Microsoft: listen to Microsoft insiders
Drone Strikes on Amazon (GAFAM) Datacentres Highlight Azure's Miniscule Share: Azure is failing
SLAPP Censorship - Part 35 Out of 200: How to Make ~10,000 Pound Sterling (13,220.50 United States Dollars) by Copy-Pasting and Editing 10 Pages: Today it's Easter Sunday, so we'll keep this part relatively short
Gemini Links 05/04/2026: Artemis II Mission Tracker, Meditation on Copyright, Alhena 5.5.5, "Gemini as the Final Frontier of Human Cognition": Links for the day
Mainstream Media on "Practical Survivalism": Suffice to say, panic buying begets more panic and price surges
Cloud Computing as a Cloud of Smoke (Your Hosting Provider is a "Legitimate" Military Target): When a French datacentre went up in flames people joked that the "cloud" meant a cloud of smoke
Andreas Tille Congratulates Sruthi Chandran Before the Election for Debian Project Leader (DPL) is Even Over: Andreas Tille, the current Debian Project Leader (DPL) who has been in this role for nearly 24 months
When You Try to Change the World for the Better and Somehow They Find a Way to Say You Are the Villain: Don't be a fool. Don't fall for inversions of narratives.
Slop Was a Flop and Energy Crisis Will be Slop's Final Blow: Today we see no slopfarms in Google News
Links 05/04/2026: "Taiwanese Airlines to Hike Fuel Surcharges 157%" and Openly Racist Voter Suppression Starts in the US: Links for the day
Gemini Links 05/04/2026: Playing with Hyprland and Migrating Antenna Filters: Links for the day
Links 05/04/2026: "Confidential Computing" as Proprietary Bundle of False Promises and "The Web Is an Antitrust Wedge": Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, April 04, 2026: IRC logs for Saturday, April 04, 2026
SLAPP Censorship - Part 34 Out of 200: The Necessity of Transparency, Illuminating Garrett's and Graveley's 'Tag-Team' Act, Misusing the British Docket (From Far Away in America) in Efforts to Hide Bad Behaviour: Transparency is paramount
Red Tape at Red Hat (IBM): Now the guiding principles are the whims and moods of people who peddle buzzwords to manipulate IBM's share prices
The So-called 'AI' (Slop) Companies Will Have the Plug Pulled: It can vastly accelerate this bubble's implosion
Dr. Andy Farnell on a "Technology Plan B": based around Free software
Windows Lows Across the Mediterranean: Judging by this month's data from statCounter
The Future of the Net is 'in Space': Gemini Protocol is growing and GemText remains the same, so it's made to endure
Linux Foundation Profits From Scams, Fraud, and Grifting: Don't be misled by the name "Linux Foundation"
Too Hard for IBM to Keep Everybody Silent About How the Company Has Gone South: IBM is busy trying to keep disgruntled or ex workers silent using NDAs
Microsoft Transmits Malware and Back Doors to GNU/Linux Servers, Media Points the Finger at Everyone But Microsoft's Servers: Is Microsoft too poor to vet and check what it hosts and transmits?
Gemini Links 04/04/2026: "Fuzz Guy", "Reusing Old Computers with Arch Linux and DWM", and Bubble v10.0 Released: Links for the day
Links 04/04/2026: eBay Scam, "Music Publishers’ X Copyright Lawsuit Officially on Pause": Links for the day
Links 04/04/2026: Social Control Media Verdict and Bans, Whistleblower (Axel Rietschin) Explains How "Microsoft Vaporized a Trillion Dollars": Links for the day
Reaching the End/Event Horizon of LLM Slop: Are we moving towards a post-LLMs world?
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, April 03, 2026: IRC logs for Friday, April 03, 2026
Gemini Links 04/04/2026: STXGE and Computer Relationships: Links for the day