Project Zero researchers revealed this week that they helped Microsoft patch 16 security issues relating to how font processing operations are handled in the Windows kernel, 2 of which were zero-day vulnerabilities at the time they were discovered.

Project Zero is an initiative to help improve the security of crucial software. The project is sponsored by Google, and in the past, it managed to help fix critical vulnerabilities in many open- or closed-source projects such as important open source code libraries or high-end antivirus products.

In a blog post published a few days ago, the project’s researchers revealed the methodology through which they managed to discover 16 issues in the way Windows handles fonts.

Font processing has always been a problem in Windows

Fonts and font processing operations are an old problem within the Windows OS, but which has not received a lot of media attention compared to other vulnerabilities.

The issue at the core of this problem is the fact that Windows executes all font processing operations in the kernel’s ring-0 with the highest level of permissions. A vulnerability in any of the libraries or operations would immediately give an attacker direct access to the whole OS.

Microsoft slowly became aware of this problem and started to improve its products. It first moved the font engine out of the kernel starting with Windows 10 and also moved font processing operations into a sandboxed environment running in a user-mode process. Unfortunately, the problem of font processing, even if limited in Windows 10, has remained for older OS versions.

Google unknowingly discovers two zero-days

At the start of 2015, Google’s Project Zero started a massive security testing process of the Windows font processing system. The company’s experts reported their discoveries to Microsoft in May 2015.

Google’s experts discovered issues with how Windows was processing OTF and TTF fonts. The full bugs are listed in the table below.

Out of these, the first two were also used in live attacks (zero-day vulnerabilities) at the time Google discovered them.

The first is CVE-2015-2426, a security bug that Microsoft fixed in July 2015 via MS15-078. What Google engineers didn’t know is that the bug they stumbled upon was also found months or years earlier by the Hacking Team.

A month after Google reported this issue to Microsoft, a hacker by the name of Phineas Fisher would breach the Hacking Team’s servers and leak their entire database, including this zero-day exploit.

The second zero-day Project Zero engineers found was CVE-2015-2455. Microsoft would fix this issues as well, in August 2015, via MS15-080.

By the time it fixed the issue, this bug too would become public after the Keen Team would use it in the Pwn2Own competition.

Issues discovered using basic fuzzing tests

To find these vulnerabilities, Google’s engineers said they only used fuzzing techniques, basic procedures for findings bugs in software code. The fact that a few fuzzing tests exposed these issues and that multiple entities were able to discover these bugs only shows the lack of any proper security testing that the font engine received.

This probably explains why, in the past years, there have been so many security issues reported in this component. The good news is that, at least with Windows 10, the font engine won’t have direct access to the kernel anymore.

“If there is a family of software so fragile and yet widely deployed and accessible, that most security professionals can just hop in and easily find a convenient 0-day bug and use it in targeted attacks or mass campaigns, something is clearly wrong,” Google’s researchers explained, detailing the sad state of font processing operations on Windows.

Tracker ID Type Format (driver) SFNT table(s) Reported Fixed
368 Pool buffer overflow TTF (win32k.sys) glyf 21 May 2015 11 August 2015
369 Pool buffer overflow OTF (atmfd.dll) GPOS 21 May 2015 20 July 2015
370 Pool buffer overflow TTF (win32k.sys) hmtx, maxp 21 May 2015 11 August 2015
382 Pool out-of-bound reads OTF (atmfd.dll) CFF 21 May 2015 11 August 2015
383 Use-after-free OTF (atmfd.dll) CFF 21 May 2015 11 August 2015
384 Use-after-free OTF (atmfd.dll) CFF 21 May 2015 11 August 2015
385 Use of uninitialized memory OTF (atmfd.dll) CFF 21 May 2015 11 August 2015
386 Pool out-of-bound reads OTF (atmfd.dll) CFF 21 May 2015 11 August 2015
392 Pool out-of-bound reads OTF (atmfd.dll) CFF 21 May 2015 11 August 2015
401 Pool buffer overflow TTF (win32k.sys) glyf 21 May 2015 11 August 2015
402 Pool buffer overflow TTF (win32k.sys) fpgm, hmtx, maxp 21 May 2015 11 August 2015
506 Pool buffer overflow TTF (win32k.sys) OS/2 18 August 2015 10 November 2015
507 Pool buffer overflow TTF (win32k.sys) glyf 18 August 2015 10 November 2015
682 Stack buffer overflow OTF (atmfd.dll) CFF 22 December 2015 8 March 2016
683 Pool buffer overflow OTF (atmfd.dll) CFF 22 December 2015 8 March 2016
684 Pool buffer overflow TTF (win32k.sys) EBLC, EBSC 22 December 2015

(25 January 2016)

12 April 2016

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲