A researcher from Google Project Zero has publicly revealed details on many of patched Microsoft and Adobe vulnerabilities, finding one in the Font Driver of Abode Type Manager that could allow to takeover several computers supporting latest font engines.
Mateusz Jurczyk researcher at Google Project Zero discovered a total of ‘fifteen’ vulnerabilities, he also found that any of the vulnerability could privilege escalation or trigger isolated execution in Windows kernel or Adobe Reader. But, the two horrible exist in the Font Driver of Adobe Type Manager, which has been there in the Windows Kernel from the time of Windows NT 4.
Mateusz Jurczyk said that the same interpreter (ATMFD.dll) has been used by the Windows Kernal for both OpenType and Type 1 CharStrings, supporting all function in the description, bloating it without need. He theorized that serious vulnerabilities which are already there in the code might be shared through many of desktop programs implementation. For instance, Adobe’s implementation of OpenType and Type1 fonts are discovered in Adobe Reader, Windows Presentation, OpenType fonts and Windows GDI.
Jurczyk said, “I have ended up with multiple low to critical severity issues, with most of the serious ones reproducing in more than one font engine.”
Microsoft and Adobe were able to patch all 15 vulnerabilities in May. The other bugs include memory disclosure, buffer overflows, STORE operators and out of bounds reads.
@j00ru did you just.nonchalantly drop 15 CVEs in a single blogpost..?
— Serge Bazanski (@q3k) June 24, 2015
The ATMFD.dll vulnerability, though, stands out, as per stated by Jurczyk.
Jurczyk said, “It provided a specially crafted font with the ability to operate on any data on the thread’s stack with all instructions available in the Type 1 / Type 2 Charstring instruction set (including arithmetic, logic, conditional, and other instructions). In other words, one could reliably generate a full ROP chain on the stack within the PostScript program, with no external interaction other than loading the font in the first place.”
In an article Jurczyk also shared his demonstration this month at Recon security conference and named it, “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation.”
A report from welivesecruity.com states, Google has prolonged the disclosure time for bugs revealed in its Project Zero by an extra 2 weeks, if the companies are arranging a patch in the 2 weeks next the time limit. The extra 14 days ‘grace period’ for the companies will “improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline,” as per Google statement.
Although Jurczyk said, “The video demonstrates reliable exploitation of a vulnerability in the handling of the BLEND instruction in Type 1 fonts, used in two stages to first achieve arbitrary code execution in Adobe Reader 11.0.10, and further escape the sandbox and elevate privileges to System by attacking the Adobe Type Manager Font Driver in the Windows 8.1 Update 1 32-bit (or 64-bit) kernel.”