Microsoft Windows So Insecure That Even Fonts Are Remotely Exploitable

Dr. Roy Schestowitz

2015-06-25 10:28:47 UTC
Modified: 2015-06-25 10:28:47 UTC

Turning the alphabet into a security nightmare

Alphabet

Summary: Windows userbase is once again under serious threat and high risk because something as simple as fonts (rendering of text/pixels on the screen) isn't done securely in Windows

THERE IS plenty evidence which shows that Microsoft is not interested in security, maybe because there are commitments to the NSA (the motivations are hard to reason about, but Microsoft's reluctant to patch known holes is easily demonstrable).

Now we are being reminded that even fonts are a security risk in Windows. Yes, Microsoft continues to put users under remote execution threat because of fonts. As the British media put it:

Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month under the title One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation [PDF ] without much fanfare and published a video demonstration of the exploit overnight.

As one commenter (found by Robert Pogson) put it, "Adobe (and I guess MS as well) put font handling in the kernel from NT 4.0 to gain speed at the expense of having privileged-based protection, and against Dave Cutler's original micro kernel plans. What could possibly go wrong?"

Proprietary software is so bad that even fonts are a huge risk. This isn't the first such incident. It serves also as a reminder for GNU/Linux users because some users continues to install proprietary software from Adobe, despite Free/libre alternatives being equally potent.

To quote the part which shows why Windows makes things even worse: "The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0." ⬆

"Our products just aren't engineered for security."

--Brian Valentine, Microsoft executive

Recent Techrights' Posts

Sounds Like Microsoft 'Open' 'AI' (Slop) Ran Out of Money to Borrow: Maybe in 2026 slop will be scarce enough that eventually, maybe by year's end, we'll manage to just ignore it.
Links 24/12/2025: US TACOs on "China Chip Tariffs Until 2027", Russian Snickers in U.K. Convenience Shops: Links for the day
libera.chat Was Under Attack Last Night: Several months from now libera.chat turns 5
Free Software Foundation (FSF) Raises Over $300,000 Before Christmas: the FSF made it past $300,000
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Wednesday, December 24, 2025: IRC logs for Wednesday, December 24, 2025
Gemnini Links 25/12/2025: Hibernation and TV detox: Links for the day
In India, Staff Works on Christmas Eve, Becomes Unemployed (Last Day): The company fires based on how "expensive" workers are more often than based on their productivity
Links 24/12/2025: Cheeto President "Accused of Rape in Jeffrey Epstein Files", Windows to be Replaced by Slop?: Links for the day
Gemini Links 24/12/2025: Tea, Love During Pain, and Gaming This Year: Links for the day
GAFAM is a Bubble, Nothing is Free in This World: Nothing is free in the world
My New CD Player/Stereo Didn't Even Last a Year, My CD Player/Stereo From the Early 1990s Still Works: That helped reaffirm what I said in recent years about production/manufacturing standards of "modern" things
GitHub Isn't Free, Microsoft Subsidises It (Losses) to Entrap You Inside Proprietary Software, Now Come the Fees: GitHub was never free
XBox Console is Dead, "Microsoft is Rethinking What XBox is": So XBox is now "cloud"
IBM SkillsBuild: Teaching Slop to People: What skills does that give? Making more slopfarms?
Maybe 2026 Will be the Last Year of António Campinos: Europe's patent system is run by thugs and it serves thugs
2025: The Year LLM Slop Rose to Prominence and Then Fell: the slop hype is bound to end
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Tuesday, December 23, 2025: IRC logs for Tuesday, December 23, 2025
Links 24/12/2025: Spotify Surveillance and Shadow Over Rule of Law in Hong Kong: Links for the day
A Good End for a Fine Year: Today we saw some pleasant news online about the growth of GNU/Linux and more perils impacting Windows and XBox
Serial Sloppers Lost Momentum, Sites With "Linux" in Their Name Barely Bother Anymore: Will 2026 be the year slopfarms jump the shark?
Gemini Links 23/12/2025: Hydraulic Pressure Balance and mercury://: Links for the day
Gemini Links 23/12/2025: "The sun is shinning" and "problem in the Butlerian Jihad setup": Links for the day
Links 23/12/2025: "Over 8,700 News Articles Censored in Turkey in 2024" and "Photos Are Being Deleted From the Epstein Files": Links for the day
Techrights as 'Regulator' Against Runaway Trains: "Runaway trains" never scared us because we know that they, unlike us, don't think rationally
Links 23/12/2025: That ‘Satisfying Click’ and Security Lapses, Car Bomb Kills Russian Lieutenant General Fanil Sarvarov: Links for the day
Links 23/12/2025: GNU Taler 1.3, US Regime Censors Television Again: Links for the day
Valve Can Bring More Users to GNU/Linux, But It Won't Bring Freedom: Steam is DRM
Social Control Media is Bots (Fake Traffic, Fake 'Engagement'): As per FORTUNE, 76% of Twitter is alleged to be bots now
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Monday, December 22, 2025: IRC logs for Monday, December 22, 2025
How the Slop (So-called 'AI') Bubble Will Burst Next Year: There are already talks about mass layoffs in January
"Generative AI Bubble Has Begun to Pop", Nvidia Rides “Circular Financing... a Strategy That Hearkens Back to the Dot-com Crisis”: For companies like Microsoft this may mean another 30,000+ layoffs next year
Microsoft-Connected Media Talking About XBox Division "Profit Margins" is Distraction From XBox Sales Collapsing 70% in One Year: The simple fact is, Microsoft's console is dead in the water
The Reality is "Vibe Code" (Slop) is That It's Worthless: “Confidently Wrong”