back to article It's the end of the 20-teens, and your Windows PC can still be pwned by nothing more than a simple bad font

With the year winding to a close and the holiday parties set to kick off, admins will want to check out the December Patch Tuesday load from Microsoft, Adobe, Intel, and SAP and get them installed before downing the first of many egg nogs. Redmond gifts admins a light burden This month is a relatively small patch bundle from …

  1. jake Silver badge

    Out o'curiosity ...

    Does Windows still execute ("run") fonts instead of reading them and displaying them like any sane operating system?

    1. sbt
      Paris Hilton

      By 'simple bad font', I thought they meant Comic Sans

      Any data file format that encodes its own structures of varying size can create a bounds checking vulnerability; one failure mode is allocating based on the declared size but copying up to some delimiter.

      I don't think OpenType or its TrueType predecessor have ever contained binary code; glyph instructions may create opportunities for abuse, but I'd expect that part's pretty locked down by now. The flaw is probably at a lower-level file format level.

      That ? thing looks horrible -->

      1. Anonymous Coward
        Anonymous Coward

        Re: By 'simple bad font', I thought they meant Comic Sans

        > That ? thing looks horrible

        It appears to be taken from the Jokerman typeface, which is one of those self-consciously whimsical fonts that were so of the 1990s (a la the "funny" picture frame around the peephole in Friends).

        Yuk.

        1. sbt
          Angel

          Mexican, or regular?

          Well spotted, that seems a pretty solid ident. Hadn't seen the rest of it before, but it definitely lives down to the expectations.

      2. LDS Silver badge

        "have ever contained binary"

        Binary code no, but instructions opcodes, yes:

        https://docs.microsoft.com/en-us/typography/opentype/spec/tt_instructions

        There's enough to be exploited, if the execution engine is flawed.

    2. -tim
      Facepalm

      Re: Out o'curiosity ...

      When your font description language requires a Turing complete system to run, someone is going to play with it. Put that in the trusted part of the OS and bad things will happen.

      I've thought it was odd that there hasn't been a widespread abuse of this so far. You can get most browsers to load your own fount that happens to have an O that is drawn over and over and over again in an infinite loop.

      1. Michael Wojcik Silver badge

        Re: Out o'curiosity ...

        Yes, and hackers like the folks who publish in PoC||GTFO have demonstrated that many file format parsers are Turing-complete if you try hard enough. If a parser has alternation (branching) and repetition (looping), there's a decent chance you can get it to implement a TC system.

        It's also worth noting that historically many of these font-handling exploits weren't in Microsoft-written code. A quick search didn't show what DLL is fixed for '1468, but it might be in code that came from Adobe or another source. (Whether Microsoft's various Windows security reviews ought to have found and fixed it is another question, of course. And the answer is "yes".)

    3. LDS Silver badge

      Re: Out o'curiosity ...

      You're still thinking about old bitmap fonts - which any sane operating system no longer use unless it wants to looks ugly on any device at any resolution but maybe the native one of the font.

      Actual fonts are quite complex and are not "displayed" - they are "rendered" through *computing* the actual glyph pixels taking into account also the "environment" it's displayed within.

      The introduction of displays with different ppi (higher and higher) and the wish to exploit that to allow subtle but useful typographical features meant even more complex fonts and rendering engines.

      Typography was and is a complex art - unluckily the "computing" part means code which can have bugs.

      1. Claverhouse Silver badge

        Re: Out o'curiosity ...

        Maybe I even got it from here, but I recently found the biography of Hermann Zapf, a great typographer --- and married to a great typographer --- interesting.

        https://www.linotype.com/1494/the-lifestory-of-hermann-zapf.html

      2. Tom 7 Silver badge

        Re: Out o'curiosity ...

        "allow subtle but useful typographical features" I think the usefulness of them is far exceeded by their "subtle but fucking dangerous loopholes'. Fonts, to a large extent, are just another distraction space. Designers will wet themselves over feature the user will never ever notice or miss,.

        1. LDS Silver badge

          "Fonts, to a large extent, are just another distraction space"

          Good fonts design making text more readable, and that means less eye strain when you have to read a lot of text.

          You will not notice those features consciously, but your brain still process them. You won't notice ligatures and kerning but your brain will process the text better. If not, we would be using only capital letter in a monospaced font.

          Also, if you are a native English speaker living in a English-speaking country, you would not encounter the many glyphs with diacritical marks which are common in other languages, and may require specific processing. See for example here (https://en.wikipedia.org/wiki/Pango) how a text rendering engine can use locale-specific glyph.

          Try to replace your system font and default browser one with bad designed one (no, not Comic Sans), and force applications/web pages to use them. In a few hours you will notice the difference.

          I saw not a little of bad marketing material designed by people without a clue about proper typography - it looks bad from the start and it's hard to read.

          That is not, of course, a justification for processing bugs and vulnerabilities . but I do expect a modern OS deliver excellent text.

    4. Anonymous Coward
      Anonymous Coward

      Re: Out o'curiosity ...

      Most font specifications include various length values, start-/end-of-data flags, ordering rules, etc to try to reduce the impact of bad fonts. Many font implementors ignore some or all of these, and many popular font readers allow them to so as not to irritate their users.

  2. tempemeaty
    Thumb Up

    More lipstick on the old OS

    That font vulnerability is a bit last decade but Ok.

    To bad they are not giving us a new OS for the 21st century.

    If Microsoft can't then they can't. It's OK. I understand.

    1. phuzz Silver badge

      Re: More lipstick on the old OS

      Well, I suppose this is what we get when there's no one in the thread complaining how a Microsoft update broke their software. Instead complaints that Microsoft aren't changing their OS enough.

    2. LDS Silver badge

      Re: More lipstick on the old OS

      You can always use that OS from the 1970s. It looks nobody wants to make a new OS for the 21st century.

  3. Charlie Clark Silver badge
    Gimp

    Cupertino also to the party

    With some fresh OS updates with the usual lack of detail as to what holes they patch, because of course, Apple software never has any bugs…

    IOS 13 already up to its third minor release, god they must have written some shit code this year. Good job I don't have an I-Phone!

  4. tiggity Silver badge

    sigh

    Privilege escalation bugs should be rated as more critical than they are, as the article stated you just chain them with other bugs and wreak havoc.

    Long gone are the days of assessing a bug in isolation, its risk needs to be assessed in the context of how it can be exploited if other flaws exist.

    Its common for attacks to chain together multiple vulnerabilities to achieve a nasty outcome, even if the series of vulnerabilities used are "minor" the net result can be an owned system.

  5. Claverhouse Silver badge
    Linux

    Not Even Complaining

    Whatever might be said re Windows versus Linux --- or the BSDs or Apple --- one really strange thing is that MS pushes these patches [ for good or ill ] on a monthly, at least, basis.

    I use Mint 18 with KDE, although I much prefer OpenSUSE; every now and again, maybe 6 times a month individual components are upgradable [ Although nothing bad happens if they are ignored ] and here and there a kernel upgrade, again optional. But no grand patches that needs urgent implementation --- and I am told, sometimes with Microsoft incur a reboot.

    The computer[s] trundle on regardless, with no disaster. Obviously if I were running a server on BSD or Linux I would certainly patch as required; but why is it Windows needs eternal never-ending patches ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Even Complaining

      but why is it Windows needs eternal never-ending patches ?

      Because, instead of a fundamental redesign and rewrite, they just tacked on piece after piece to an already flawed design to get from the start to where we are today?

  6. Anonymous Coward
    Anonymous Coward

    Ugh

    It's the end of the 20-teens, and your Windows PC can still be pwned by nothing more than a simple bad font

    It's the end of the 20-teens, and businesses are still running Windows despite literally decades of problems.

    "I don't have any solution, but I certainly admire the problem" - Ashleigh Brilliant

    1. LDS Silver badge

      "still running Windows despite literally decades of problems."

      And literally decades without a real alternative...

      1. Anonymous Coward
        Anonymous Coward

        Re: "still running Windows despite literally decades of problems."

        There are alternatives (caveated on whether you operate using specialised software that only runs on Windows), but the problem is very much a cold start one. No business wants to move to Linux (even if viable internally) only to have issues with "you sent us a document we can't open or that has a scrambled format" as well as user training requirements etc. Hence everyone still trundles on using Windows.

        Where I work we've tried getting access to Linux servers/VMs for hosting certain apps but are constantly told that IT has nobody to support them and has no appetite to support them. When windows is the expectation it becomes very hard to bring in something different. I have worked at banks where Linux was used because they took a line of "best tool for the job" but not everyone will do this. Let's not forget that Oracle is still used in a great many places where there are no real requirements for its capabilities and PostgreSQL would do.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022