Critical Adobe Reader, MS Windows font vulnerability can lead to complete system compromise

15 critical vulnerabilities in Windows and Adobe software are reported by a Google Project Zero researcher, the vulnerabilities also include sever ones that can enable attackers to completely compromise a system.

Even the era of high quality security mechanisms and mitigations, 2015, posses weaknesses where a single good vulnerability can still cause a complete system compromise,” a Google project zero infosec engineer, Mateusz Jurczyk noted in a talk being held in Montreal at REcon security conference just recently.

A number of font engines being utilized by Adobe’s reader, popular modern browsers, Microsoft’s Windows and many more has been reported to be effected by not only one or two but fifteen security bugs varying in severity.

In a blog published on Wednesday, Mateusz explained, “Some months ago, I started reverse engineering and investigating the security posture of the Adobe Type Manager Font Driver (ATMFD.DLL) module, which provides support for Type 1 and OpenType fonts in the Windows kernel since Windows NT 4.0, and remains there up to this day in Windows 8.1”.

The infosec researcher added, “Specifically, I focused on the handling of so-called ‘CharStrings’, which are essentially binary encoded PostScript programs with a dedicated set of instructions and a specific execution environment, responsible for drawing the shape of each glyph at a particular point size.”

Low quality code, bloating function and the fact that a common ancestor is used by different modern font engines for Adobe’s implementation of type 1 (aka OpenType) fonts, pretty much means that the former one is more likely to be effected by a vulnerability in latter one.

According to the researcher’s findings, the most sever vulnerability among all of the 15 being discovered particularly is one which effects both Abode Reader and Microsoft Windows

Among the vulnerabilities he unearthed is a particularly severe one that affects both Microsoft Windows (CVE-2015-3052 and CVE-2015-0093, respectively).

He noted, this particular vulnerability stood out from the others, as it “could reliably generate a full ROP chain on the stack within the PostScript program, with no external interaction other than loading the font in the first place.”

“The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far,” Google project zero infosec engineer added further.

While 64-bit build of the Windows are not effect by the vulnerability, CharString (another vulnerability) was exploited by Jurczyk that bypass all of the mitigations offered by OS and ultimately achieving the same goal.

The infosec engineer noted that there will always be some font vulnerabilities, as these are much far from the extint and of course, the only way seem to be possible for getting around these is removing font processing from all the privileged security contexts. As a separate user land font driver is introduced by Microsoft in Windows 10, he stated that the company is moving in right direction.

The potential problems in regards with bad quality (shared) native codes also have been noted in his research.

Both Adobe and Microsoft claim that all of the vulnerabilities being discovered by him have been patched within last couple of months, and users who do update their software regularly are covered. So, if you’ve not been practicing these software’s update, go ahead with that immediately.

A ton of the technical material including exploit demos and PoC code has been made available by Jurczyk in the slides from talk, and his blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *