14 DAY TRIAL // Project Zero researchers revealed this week that they helped Microsoft patch 16 security issues relating to how font processing operations are handled in the Windows kernel, 2 of which were zero-day vulnerabilities at the time they were discovered.
Project Zero is an initiative to help improve the security of crucial software. The project is sponsored by Google, and in the past, it managed to help fix critical vulnerabilities in many open- or closed-source projects such as important open source code libraries or high-end antivirus products.
In a blog post published a few days ago, the project's researchers revealed the methodology through which they managed to discover 16 issues in the way Windows handles fonts.
Font processing has always been a problem in Windows
Fonts and font processing operations are an old problem within the Windows OS, but which has not received a lot of media attention compared to other vulnerabilities.
The issue at the core of this problem is the fact that Windows executes all font processing operations in the kernel's ring-0 with the highest level of permissions. A vulnerability in any of the libraries or operations would immediately give an attacker direct access to the whole OS.
Microsoft slowly became aware of this problem and started to improve its products. It first moved the font engine out of the kernel starting with Windows 10 and also moved font processing operations into a sandboxed environment running in a user-mode process. Unfortunately, the problem of font processing, even if limited in Windows 10, has remained for older OS versions.
Google unknowingly discovers two zero-days
At the start of 2015, Google's Project Zero started a massive security testing process of the Windows font processing system. The company's experts reported their discoveries to Microsoft in May 2015.
Google's experts discovered issues with how Windows was processing OTF and TTF fonts. The full bugs are listed in the table below.
Out of these, the first two were also used in live attacks (zero-day vulnerabilities) at the time Google discovered them.
The first is CVE-2015-2426, a security bug that Microsoft fixed in July 2015 via MS15-078. What Google engineers didn't know is that the bug they stumbled upon was also found months or years earlier by the Hacking Team.
A month after Google reported this issue to Microsoft, a hacker by the name of Phineas Fisher would breach the Hacking Team's servers and leak their entire database, including this zero-day exploit.
The second zero-day Project Zero engineers found was CVE-2015-2455. Microsoft would fix this issues as well, in August 2015, via MS15-080.
By the time it fixed the issue, this bug too would become public after the Keen Team would use it in the Pwn2Own competition.
Issues discovered using basic fuzzing tests
To find these vulnerabilities, Google's engineers said they only used fuzzing techniques, basic procedures for findings bugs in software code. The fact that a few fuzzing tests exposed these issues and that multiple entities were able to discover these bugs only shows the lack of any proper security testing that the font engine received.
This probably explains why, in the past years, there have been so many security issues reported in this component. The good news is that, at least with Windows 10, the font engine won't have direct access to the kernel anymore.
"If there is a family of software so fragile and yet widely deployed and accessible, that most security professionals can just hop in and easily find a convenient 0-day bug and use it in targeted attacks or mass campaigns, something is clearly wrong," Google's researchers explained, detailing the sad state of font processing operations on Windows.
| Tracker ID | Type | Format (driver) | SFNT table(s) | Reported | Fixed |
|---|---|---|---|---|---|
| 368 | Pool buffer overflow | TTF (win32k.sys) | glyf | 21 May 2015 | 11 August 2015 |
| 369 | Pool buffer overflow | OTF (atmfd.dll) | GPOS | 21 May 2015 | 20 July 2015 |
| 370 | Pool buffer overflow | TTF (win32k.sys) | hmtx, maxp | 21 May 2015 | 11 August 2015 |
| 382 | Pool out-of-bound reads | OTF (atmfd.dll) | CFF | 21 May 2015 | 11 August 2015 |
| 383 | Use-after-free | OTF (atmfd.dll) | CFF | 21 May 2015 | 11 August 2015 |
| 384 | Use-after-free | OTF (atmfd.dll) | CFF | 21 May 2015 | 11 August 2015 |
| 385 | Use of uninitialized memory | OTF (atmfd.dll) | CFF | 21 May 2015 | 11 August 2015 |
| 386 | Pool out-of-bound reads | OTF (atmfd.dll) | CFF | 21 May 2015 | 11 August 2015 |
| 392 | Pool out-of-bound reads | OTF (atmfd.dll) | CFF | 21 May 2015 | 11 August 2015 |
| 401 | Pool buffer overflow | TTF (win32k.sys) | glyf | 21 May 2015 | 11 August 2015 |
| 402 | Pool buffer overflow | TTF (win32k.sys) | fpgm, hmtx, maxp | 21 May 2015 | 11 August 2015 |
| 506 | Pool buffer overflow | TTF (win32k.sys) | OS/2 | 18 August 2015 | 10 November 2015 |
| 507 | Pool buffer overflow | TTF (win32k.sys) | glyf | 18 August 2015 | 10 November 2015 |
| 682 | Stack buffer overflow | OTF (atmfd.dll) | CFF | 22 December 2015 | 8 March 2016 |
| 683 | Pool buffer overflow | OTF (atmfd.dll) | CFF | 22 December 2015 | 8 March 2016 |
| 684 | Pool buffer overflow | TTF (win32k.sys) | EBLC, EBSC | 22 December 2015 (25 January 2016) | 12 April 2016 |