April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly font Microsoft has delivered another epic Patch Tuesday, dropping fixes for more than 100 security bugs, and Adobe and Intel have added their dose of misery and security too. April showers from Redmond The April edition of Patch Tuesday sees the release of fixes for 113 CVE-listed bugs. Four really important ones are already being …
Mmmmm two 0 days targeting Windows 7 not patched...how many companies have had to delay retiring the last of them...plus the odd 2008 or 2008 R2 Server.
Let me guess Microsoft's ESU services (very expensive licence to get updates for EoL products) is about to get a bumper boost of Sales :)
"The massive patch load is no accident, say experts" - I'm no writer, but this sentence doesn't seem to fit with anything around it. Have they been saving the patches up? Are a large quantity of patches usually accidents? Granted the bugs are (in theory) accidents, but it sounds like this is only half of what the "experts" said.
This post has been deleted by its author
So much for the sandbox...
For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
... it seems you can create new users and install programs in it.
It is just amazing what incredibly craptastic code MS and Adobe wrote (and continue to write). It shows that they employ junior programmers with zero experience, no oversight and no code reviews get done either. It also shows that their bug fixes are equally craptastic. If it was me, I would start by auditing the libraries and provide macro wrappers to avoid common mistakes, then recompile the whole can of worms.
Fonts are about as non-innocuous as file formats can get. They have code embedded in them for hinting which font rendering engines often have to run. There is a long history of RCE vulnerabilities in font parsing and rendering software (on all platforms as far as I can remember). NoScript bans custom web fonts in its default configuration because NoScript's authors think they're a plausible vector for drive-by malware.
"Fonts are about as non-innocuous as file formats can get"
That's ridiculous. Obviously there are more non-innocuous file format - like every single executable binary file for a start. The vulnerability is in the renderer not the font file. A text file can become harmful if the renderer has a bug that can insert executable code into a certain memory space.
No-script bans web fonts mainly because they are thrid-party hosted and therefor provide a viable way to track users around the web. If every website uses 'cool font' from 'cool company' as their header font then 'cool compnay' knows every site you have visited. Worries about malware are not the reason although anything launched from a third party site is deemed possible to compromise, however a third party hosted javascript has way, way more potential to be menacing without even having a vulnerability in its renderer.
Anything that runs any sort of program instructions is a risk, whether it's ActiveX, JavaScript, Office macros or TrueType hinting functions. Believe it or not TrueType fonts do contain executable programs so they're not in the same class as renderers for purely static data like text or images.
In some ways they're more of a risk than JavaScript, because the interpreter they run in is likely not as well hardened as JS runtimes are nowadays. Depending on OS design, your font rendering engine might be running at a higher privilege level than a browser as well.
It would be nice if there were some option to completely disable TrueType hinting instructions. I wonder how much benefit they really give on the latest high-DPI displays.
And that code needs to be fast because you don't want weird rendering effects users will notice. Once it was mostly code run by RIPs when printing, now has to be done in real time while displaying the text on high-dpi devices.
Maybe, time to develop a SecureType font engine and format....
MS Windows dwarfs in terms of usage other operating systems in government, enterprise, education, and household, contexts. Therefore a degree of passive immunity to general, not specifically targeted, attack arises from deploying a less commonly used operating system; this by virtue of criminals and mischief makers' anticipating greater return on their efforts by concentrating on attacking the most prevalent operating system.
OTOH, some mischief makers concentrate on computers and software made by a company known to be favored by folks with more money than the average bear. A company that lately seems hell-bent on achieving parity with MSFT in the "how much damage can we do with an update" contest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
