Font vulnerabilities addressed in monthly patches

Microsoft recently released their monthly bundle of bug fixes for April’s Patch Tuesday. Among the addressed issues, five critical vulnerabilities are found within the Windows Font Library. If exploited they could lead to remote code execution. Furthermore, with the many use-cases of fonts and severity of the vulnerability it is of utmost importance these patches are installed quickly.


Critical embedded font vulnerabilities found

Microsoft recently released their monthly Patch Tuesday bundle of bug fixes and security updates. April’s updates include critical fixes for several types of software: Windows, Edge, Office, Internet Explorer with one of the more surprising ones being for the Windows Font Library.

Five critical vulnerabilities were found within the library with each relating to improper handling of embedded fonts, discovered and disclosed by researcher Hossein Lotfi at Flexera Software. If an attacker were to trick the user into opening a file or a crafted web page containing a malicious font they would gain access to the device on the same level as the user.

The vulnerabilities affect nearly every version of Windows, ranging from Windows 7 to 10 and Windows Server 2008 to 2016. Due to the sheer amount of attack vectors, documents, files, web pages, and so on CYPRO recommends patching these vulnerabilities as soon as possible. For a more technical description do take a look at the following material: CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015 and CVE-2018-1016.

Other vulnerabilities addressed

Other critical vulnerabilities addressed in this month’s patches included a hardware patch which could allow an attacker to read keystrokes sent by certain wireless keyboards and an out-of-band update touching on Meltdown. If you are interested in Meltdown & Spectre you can read more about them here.

For more information on the full content of Microsoft’s Patch Tuesday, including non-critical vulnerabilities, do read more about it here.