Microsoft patched 16 security issues relating to how font processing operations end up handled in the Windows kernel.
Of the 16 vulnerabilities, two were Zero Day vulnerabilities, said researchers at Project Zero, who helped discovered the vulnerabilities.
Project Zero is an initiative to help improve the security of crucial software. Google sponsored the project, which helps fix critical vulnerabilities in open- or closed-source projects.
In a blog post, the project’s researchers released the methodology through which they managed to discover 16 issues in the way Windows handles fonts.
Fonts and font processing operations are an old problem within the Windows OS, but which has not received a lot of media attention compared to other vulnerabilities.
The issue at the core of this problem is because Windows executes all font processing operations in the kernel’s ring-0 with the highest level of permissions. A vulnerability in any of the libraries or operations would immediately give an attacker direct access to the entire OS.
Microsoft became aware of this problem and started to improve its products. It first moved the font engine out of the kernel starting with Windows 10 and also moved font processing operations into a sandboxed environment running in a user-mode process. The issue of font processing, even if limited in Windows 10, has remained for older OS versions.
At the start of 2015, Google’s Project Zero started a massive security testing process of the Windows font processing system. The company’s researchers reported their discoveries to Microsoft in May 2015.
Google’s experts discovered issues with how Windows was processing OTF and TTF fonts.
Two of the vulnerabilities ended up used in live attacks at the time Google discovered them.
The first is CVE-2015-2426, a security bug Microsoft fixed in July 2015 via MS15-078. What Google engineers didn’t know is the bug they stumbled upon was also found months or years earlier by the Hacking Team.
A month after Google reported this issue to Microsoft, a hacker by the name of Phineas Fisher would breach the Hacking Team’s servers and leak their entire database, including this Zero Day exploit.
The second zero-day Project Zero engineers found was CVE-2015-2455. Microsoft would fix this issues as well, in August 2015, via MS15-080.
By the time it fixed the issue, the bug became public after the Keen Team would use it in the Pwn2Own competition.
To find these vulnerabilities, Google’s engineers said they only used fuzzing techniques, basic procedures for findings bugs in software code. The fact a few fuzzing tests exposed these issues and multiple entities were able to discover these bugs only shows the lack of any proper security testing the font engine received.