Return to site

Why cyber criminals love font files in Windows ?

Windows Vulnerability Study

In the process of developing Hoplite Technology’s cyber risk assessments and gathering security datasets, we have noticed pre-Windows 10 systems are exposed to higher risks of remote attacks than Win 10. Microsoft has done a lot recently on improving their OS and this observation should not be a surprise.

However, when we were digging deeper to the root of the problem , the real reason did surprise us.

First, we started with some data gathering. The most objective and well organised data is from the CVE database, which categorises all reported vulnerabilities in table format. The search functions are also extensive. There are over 14186 reported vulnerabilities from 3608products.

We selected the most recent 1500 records that is related to MS and has a score over 2. This dataset size is just right for a meaningful analysis. The data set is drawn from March 2017 to April 2019.

We used text analysis functions and count frequency of each keyword search. The results have given us the below table (after removing business English words like “entire”, “always").

The above quick analysis gives us a birdeye view on the distribution of vulnerabilities discovered in Microsoft products. Keywords like “memory” and “overflow” are high frequency words for obvious reasons. Only focus on high frequency words does not bring us insights on risks. What we are striving for is a risk-based approach in assessing and measuring vulnerability.

More specifically, which area or component of MS platform poses a higher risk of exploit? To answer this, we need to take more attributes (in additional to frequency) into considerations. The CVSS Score is a summary metric related to the risk of each vulnerability and the higher the score, the higher the possibility of vulnerable risk will be.

The above quick analysis gives us a birdeye view on the distribution of vulnerabilities discovered in Microsoft products. Keywords like “memory” and “overflow” are high frequency words for obvious reasons. Only focus on high frequency words does not bring us insights on risks. What we are striving for is a risk-based approach in assessing and measuring vulnerability.

More specifically, which area or component of MS platform poses a higher risk of exploit? To answer this, we need to take more attributes (in additional to frequency) into considerations. The CVSS Score is a summary metric related to the risk of each vulnerability and the higher the score, the higher the possibility of vulnerable risk will be.

Quick Summary of CVSS is below

From this summary, we can conclude the number of discovered vulnerabilities from Windows did not change much but the overall risk level is decreasing. Which is a good sign and this has shown Microsoft team is adding more secure features to minimize discovered vulnerabilities impacts.

Now get to the real stuff. To find out which component of MS platform has higher risk vulnerability. We first found out the high frequent keywords that are technology related or contain product name, examples are “sharepoint” ,”Edge” or “HyperV”

The top 5 items are

Using the percentage bar chart, we show the percentage of discovered vulnerability within each CCVS score ranging from 2 to 4 (lower risk), 5 to 6, 7 to 8, 9 to 10 (higher risk) level for each Windows component.

With the visual help of Chart 1, we could see there is no surprise that Edge shows a higher risk profile both in quantity and in risk scores than the rest of attack vectors. From Table 1 (Fonts are highligted in orange color), it also shows that fonts are actually pose a higher risk than other discovered vulnerability (although it has the lower number of counts). Most of the vulnerabilities are high risk, i.e. around 45%.)

The reason why vulnerabilities related to fonts have higher risk is that Microsoft Windows process font files in kernel mode. Therefore, by manipulating font files, attackers are able to find a short cut into kernel mode and thus bypass many security features.

There are a few blog posts explaining font file parsing, Google Project Zero and Microsoft.

Google EngineerMateusz Jurczykexplained that a kernel-mode Adobe Type Manager Font Driver (ATMFD.DLL) used by Windows has vulnerability

“This, in turn, could be used by an attacker to craft a self-contained malicious Type 1 font which, once loaded in the vulnerable environment, reliably and deterministically builds a ROP chain in the Charstring program, consequently defeating all modern exploit mitigations techniques such as stack cookies, DEP, ASLR, SMEP and so on.“ (src : https://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html )

The issue of processing fonts in kernel mode is well documented and Microsoft has modified this architecture in Windows 10 adding AppContainer.

“When opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.“

(src: https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/)

Still, there are many devices not using Windows 10 or not patched properly. Sometimes, system support or administrators may think font files are not high risk since they have long history and stable, thus they pay less attention to patches related to font files. I hope this article is able to explain why patches related to font files (in particular Adobe Type Manager Font Driver) is important.

All Posts
×

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!

OK