Better be certain that your Windows 10 patches are updated, as Google’s Project Zero has simply launched Proof of Concept code for a just-patched Windows 10 flaw which could be exploited by merely visiting an online web page.
The problem is a flaw in Microsoft DirectWrite, the Windows font renderer which can be utilized in all browsers, and which is weak to specially-crafted TrueType fonts which may trigger it to deprave reminiscence and crash, which may then be used to run code at kernel privileges.
“Attached is the proof-of-concept TrueType font together with an HTML file that embeds it and displays the AE character,” Google famous. “It reproduces the crash shown above on a fully updated Windows 10 1909, in all major web browsers. The font itself has been subset to only include the faulty glyph and its dependencies.”
The flaw, written up as CVE-2021-24093, was simply patched on the ninth February 2021, which means any customers who’ve delayed putting in this month’s Cumulative Updates are nonetheless weak.