Out o'curiosity ...
Does Windows still execute ("run") fonts instead of reading them and displaying them like any sane operating system?
With the year winding to a close and the holiday parties set to kick off, admins will want to check out the December Patch Tuesday load from Microsoft, Adobe, Intel, and SAP and get them installed before downing the first of many egg nogs. Redmond gifts admins a light burden This month is a relatively small patch bundle from …
Any data file format that encodes its own structures of varying size can create a bounds checking vulnerability; one failure mode is allocating based on the declared size but copying up to some delimiter.
I don't think OpenType or its TrueType predecessor have ever contained binary code; glyph instructions may create opportunities for abuse, but I'd expect that part's pretty locked down by now. The flaw is probably at a lower-level file format level.
That ? thing looks horrible -->
When your font description language requires a Turing complete system to run, someone is going to play with it. Put that in the trusted part of the OS and bad things will happen.
I've thought it was odd that there hasn't been a widespread abuse of this so far. You can get most browsers to load your own fount that happens to have an O that is drawn over and over and over again in an infinite loop.
Yes, and hackers like the folks who publish in PoC||GTFO have demonstrated that many file format parsers are Turing-complete if you try hard enough. If a parser has alternation (branching) and repetition (looping), there's a decent chance you can get it to implement a TC system.
It's also worth noting that historically many of these font-handling exploits weren't in Microsoft-written code. A quick search didn't show what DLL is fixed for '1468, but it might be in code that came from Adobe or another source. (Whether Microsoft's various Windows security reviews ought to have found and fixed it is another question, of course. And the answer is "yes".)
You're still thinking about old bitmap fonts - which any sane operating system no longer use unless it wants to looks ugly on any device at any resolution but maybe the native one of the font.
Actual fonts are quite complex and are not "displayed" - they are "rendered" through *computing* the actual glyph pixels taking into account also the "environment" it's displayed within.
The introduction of displays with different ppi (higher and higher) and the wish to exploit that to allow subtle but useful typographical features meant even more complex fonts and rendering engines.
Typography was and is a complex art - unluckily the "computing" part means code which can have bugs.
"allow subtle but useful typographical features" I think the usefulness of them is far exceeded by their "subtle but fucking dangerous loopholes'. Fonts, to a large extent, are just another distraction space. Designers will wet themselves over feature the user will never ever notice or miss,.
Good fonts design making text more readable, and that means less eye strain when you have to read a lot of text.
You will not notice those features consciously, but your brain still process them. You won't notice ligatures and kerning but your brain will process the text better. If not, we would be using only capital letter in a monospaced font.
Also, if you are a native English speaker living in a English-speaking country, you would not encounter the many glyphs with diacritical marks which are common in other languages, and may require specific processing. See for example here (https://en.wikipedia.org/wiki/Pango) how a text rendering engine can use locale-specific glyph.
Try to replace your system font and default browser one with bad designed one (no, not Comic Sans), and force applications/web pages to use them. In a few hours you will notice the difference.
I saw not a little of bad marketing material designed by people without a clue about proper typography - it looks bad from the start and it's hard to read.
That is not, of course, a justification for processing bugs and vulnerabilities . but I do expect a modern OS deliver excellent text.
Most font specifications include various length values, start-/end-of-data flags, ordering rules, etc to try to reduce the impact of bad fonts. Many font implementors ignore some or all of these, and many popular font readers allow them to so as not to irritate their users.
With some fresh OS updates with the usual lack of detail as to what holes they patch, because of course, Apple software never has any bugs…
IOS 13 already up to its third minor release, god they must have written some shit code this year. Good job I don't have an I-Phone!
Privilege escalation bugs should be rated as more critical than they are, as the article stated you just chain them with other bugs and wreak havoc.
Long gone are the days of assessing a bug in isolation, its risk needs to be assessed in the context of how it can be exploited if other flaws exist.
Its common for attacks to chain together multiple vulnerabilities to achieve a nasty outcome, even if the series of vulnerabilities used are "minor" the net result can be an owned system.
Whatever might be said re Windows versus Linux --- or the BSDs or Apple --- one really strange thing is that MS pushes these patches [ for good or ill ] on a monthly, at least, basis.
I use Mint 18 with KDE, although I much prefer OpenSUSE; every now and again, maybe 6 times a month individual components are upgradable [ Although nothing bad happens if they are ignored ] and here and there a kernel upgrade, again optional. But no grand patches that needs urgent implementation --- and I am told, sometimes with Microsoft incur a reboot.
The computer[s] trundle on regardless, with no disaster. Obviously if I were running a server on BSD or Linux I would certainly patch as required; but why is it Windows needs eternal never-ending patches ?
It's the end of the 20-teens, and your Windows PC can still be pwned by nothing more than a simple bad font
It's the end of the 20-teens, and businesses are still running Windows despite literally decades of problems.
"I don't have any solution, but I certainly admire the problem" - Ashleigh Brilliant
There are alternatives (caveated on whether you operate using specialised software that only runs on Windows), but the problem is very much a cold start one. No business wants to move to Linux (even if viable internally) only to have issues with "you sent us a document we can't open or that has a scrambled format" as well as user training requirements etc. Hence everyone still trundles on using Windows.
Where I work we've tried getting access to Linux servers/VMs for hosting certain apps but are constantly told that IT has nobody to support them and has no appetite to support them. When windows is the expectation it becomes very hard to bring in something different. I have worked at banks where Linux was used because they took a line of "best tool for the job" but not everyone will do this. Let's not forget that Oracle is still used in a great many places where there are no real requirements for its capabilities and PostgreSQL would do.
Biting the hand that feeds IT © 1998–2022