The edition of Microsoft Patch Tuesday released yesterday brought a highly critical vulnerability found and described by Hossein Lotfi from Secunia Research at Flexera. The vulnerability is in a core component of all supported versions of Microsoft Windows operating systems, the so-called Unicode Scripts Processor that is enclosed in the operating system. Because of its nature, the vulnerability is typically exploited, for example, via web browsing and document exchange, where opening a specially crafted web page or document may unfold the malicious intent. For that reason, patching this vulnerability as soon as possible is the most effective way to protect machines against exploitation, and avoid the risk it represents for both private users and businesses.
A Q&A with Hossein on this vulnerability is given below:
Flexera: Does this vulnerability have a nickname?
Hossein: No. Feel free to call it “Dirty Font”, “Ugly USP”, or …
Flexera: Any t-shirt?
Hossein: Not yet!
Flexera: What is your opinion on the “Marketing” of vulnerabilities?
Hossein: You probably guessed from my previous answers, I personally prefer to just sticking to the details of a vulnerability and to provide them to the community and not trying to create hype by giving it a nickname. The actual research, analysis, and the details are where the fun, challenging, part is. And it’s also the most useful for users of the affected systems.
Flexera: Can you elaborate on the vulnerability that you found?
Hossein: The vulnerability happens when processing a font file with specially crafted Unicode Variation Sequences table. An integer overflow will lead to an under-sized buffer and then a memory corruption. This affects all supported versions of Windows x64 and x86.
Flexera: What do customers potentially face should they decide not to patch?
Hossein: The issue happens within a core component of Windows and not a specific application. That is to say, any application using the affected API when processing fonts can be affected and, thus, it is better to be patched as soon as possible.
Flexera: What does an exploitation of such a vulnerability typically look like?
Hossein: The exploitation can happen via different vectors where font processing may happen e.g. a possible affected web browser or mail client.
Flexera: Perhaps you can give some insights on how difficult it is to find and analyze a vulnerability like this. Is it a lengthy process?
Hossein: The analyzing will be easy and quick. Finding the issue is a bit challenging as, in this case, it was found via reverse engineering. The code quality is improved in recent versions of Windows and it is a bit more challenging to find a vulnerability.
Flexera: Is it unusual to have such a vulnerability affect so many Windows versions?
Hossein: No. Although the code quality is better in recent versions of Windows, a lot of code base is still the same.
The technical description of the vulnerability can be found on the Secunia Research blog.