back to article April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly font

Microsoft has delivered another epic Patch Tuesday, dropping fixes for more than 100 security bugs, and Adobe and Intel have added their dose of misery and security too. April showers from Redmond The April edition of Patch Tuesday sees the release of fixes for 113 CVE-listed bugs. Four really important ones are already being …

  1. Shadow Systems

    a broken Chakra Scripting Engine?

    That's not very Zen of them now is it? =-)p

    *Runs away before someone uses their Karma to run over my Dogma*

    1. robidy

      Re: a broken Chakra Scripting Engine?

      Mmmmm two 0 days targeting Windows 7 not many companies have had to delay retiring the last of the odd 2008 or 2008 R2 Server.

      Let me guess Microsoft's ESU services (very expensive licence to get updates for EoL products) is about to get a bumper boost of Sales :)

    2. Doctor Syntax Silver badge

      Re: a broken Chakra Scripting Engine?

      Is that the strange case of the dogma that didn't bark in the night?

  2. MatthewSt

    "The massive patch load is no accident, say experts" - I'm no writer, but this sentence doesn't seem to fit with anything around it. Have they been saving the patches up? Are a large quantity of patches usually accidents? Granted the bugs are (in theory) accidents, but it sounds like this is only half of what the "experts" said.

    1. J. Cook Silver badge

      No, it means that people are devoting more effort to finding and exploiting bugs.

      1. Anonymous Coward
        Anonymous Coward

        And there are more and more automated ways to find "interesting" code.

      2. Timmy B

        "No, it means that people are devoting more effort to finding and exploiting bugs."

        Well people have stuff all to do at the moment... Oh hang on I'm guessing they wouldn't be the kind to spend that much time outdoors...

  3. This post has been deleted by its author

  4. skeptical i

    the revenge of Comic Sans

    What makes you think the font code was targeted and not issuing invitations?

    Call me the worst font ever, eh? I'll show you ....

    1. Doctor Syntax Silver badge

      Re: the revenge of Comic Sans

      I've been going over the originals of some books which are now out of print and are going to be redistributed as PDFs. Where the authors wanted to pick out names in bold for some reason they used Comic Sans. That has to go.

  5. redpawn

    Ready Fire Ai...

    No, it's just Fire and more Fire. There is no Aim.

  6. Dan 55 Silver badge

    Windows 10

    So much for the sandbox...

    For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    ... it seems you can create new users and install programs in it.

    1. J27

      Re: Windows 10

      It's not like there are any apps that support the sandbox in Windows anyway. Everyone's still shipping Win32/64 API apps.

  7. herman

    It is just amazing what incredibly craptastic code MS and Adobe wrote (and continue to write). It shows that they employ junior programmers with zero experience, no oversight and no code reviews get done either. It also shows that their bug fixes are equally craptastic. If it was me, I would start by auditing the libraries and provide macro wrappers to avoid common mistakes, then recompile the whole can of worms.

  8. TeeCee Gold badge
    Mushroom ActiveX control marked 'safe for initialization'

    You do know that if you write "Dud" in marker pen on the side of a nuclear warhead, it'll still work? Right?

    1. Zippy´s Sausage Factory

      Given my experience of ActiveX controls, looking at it the wrong way is enough to stop it working.

      (Cue eye twitch while remembering "business critical" support requests...)

  9. RichardBarrell

    Fonts aren't innocuous

    Fonts are about as non-innocuous as file formats can get. They have code embedded in them for hinting which font rendering engines often have to run. There is a long history of RCE vulnerabilities in font parsing and rendering software (on all platforms as far as I can remember). NoScript bans custom web fonts in its default configuration because NoScript's authors think they're a plausible vector for drive-by malware.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fonts aren't innocuous

      "Fonts are about as non-innocuous as file formats can get"

      That's ridiculous. Obviously there are more non-innocuous file format - like every single executable binary file for a start. The vulnerability is in the renderer not the font file. A text file can become harmful if the renderer has a bug that can insert executable code into a certain memory space.

      No-script bans web fonts mainly because they are thrid-party hosted and therefor provide a viable way to track users around the web. If every website uses 'cool font' from 'cool company' as their header font then 'cool compnay' knows every site you have visited. Worries about malware are not the reason although anything launched from a third party site is deemed possible to compromise, however a third party hosted javascript has way, way more potential to be menacing without even having a vulnerability in its renderer.

      1. I am the liquor

        Re: Fonts aren't innocuous

        Anything that runs any sort of program instructions is a risk, whether it's ActiveX, JavaScript, Office macros or TrueType hinting functions. Believe it or not TrueType fonts do contain executable programs so they're not in the same class as renderers for purely static data like text or images.

        In some ways they're more of a risk than JavaScript, because the interpreter they run in is likely not as well hardened as JS runtimes are nowadays. Depending on OS design, your font rendering engine might be running at a higher privilege level than a browser as well.

        It would be nice if there were some option to completely disable TrueType hinting instructions. I wonder how much benefit they really give on the latest high-DPI displays.

    2. Anonymous Coward
      Anonymous Coward

      "They have code embedded in them for hinting"

      And that code needs to be fast because you don't want weird rendering effects users will notice. Once it was mostly code run by RIPs when printing, now has to be done in real time while displaying the text on high-dpi devices.

      Maybe, time to develop a SecureType font engine and format....

  10. Long John Silver

    Better to be an outlier?

    MS Windows dwarfs in terms of usage other operating systems in government, enterprise, education, and household, contexts. Therefore a degree of passive immunity to general, not specifically targeted, attack arises from deploying a less commonly used operating system; this by virtue of criminals and mischief makers' anticipating greater return on their efforts by concentrating on attacking the most prevalent operating system.

    1. Mike 16

      Re: Better to be an outlier?

      OTOH, some mischief makers concentrate on computers and software made by a company known to be favored by folks with more money than the average bear. A company that lately seems hell-bent on achieving parity with MSFT in the "how much damage can we do with an update" contest.

    2. cdrcat

      Re: Better to be an outlier?

      iOS and Android dwarf Windows usage in a household context. And they are critical for security in a business context (they are often literally the keys to the bank and infrastructure in small to medium businesses).

  11. Anonymous Coward
    Anonymous Coward


    What a veritable PoS, I’m not referring to point of sale...

  12. Anonymous Coward
    Anonymous Coward

    Using windows is gross negligence.

    There will eventually be a high stakes court case.

  13. Anonymous Coward
    Anonymous Coward

    MS used to be pretty poor, now they're garbage

    Windows XP 741 CVE in 19 years

    Windows 7 1283 CVE in 11 years

    Windows 10 1111 CVE in 5 years

  14. Anonymous Coward
    Anonymous Coward

    I call Windows $h1td0ze.

    On a scale of 1 - 10, how funny am I?

    1. WolfFan Silver badge

      -100. Possibly less.

      1. Anonymous Coward
        Anonymous Coward

        That's a positive step change from last year.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like