Google releases PoC for Windows 10 remote code execution (CVE-2021-24093) vulnerability

Google often announces security vulnerabilities in Microsoft products with its security rules, even if sometimes Microsoft has not had time to fix the vulnerabilities, Google will disclose the details.

The reason given by the company is that only using this method can urge developers to fix vulnerabilities in a timely manner, but sometimes the repair of vulnerabilities cannot be done easily.

So Google’s approach is often criticized by Microsoft, and some security researchers and Microsoft’s enterprise customers are also worried about Google’s approach.

Now Google has once again announced the proof of concept for the Windows 10 remote code execution vulnerability, but please rest assured that this time the severity level of the vulnerability has been fixed.

The font renderer is a basic component used by Microsoft in the system. The renderer is used to render the fonts built in to the system and other software will also use the renderer.

Earlier, Google discovered that Microsoft’s font renderer had serious security vulnerabilities. Attackers could trigger the vulnerabilities and cause memory corruption and crashes by using special fonts.

After the memory corruption crashes, the attacker can gain privilege escalation and launch more attacks. Fortunately, this vulnerability has been fixed by Microsoft last month.

As long as the user has installed the 2021 February cumulative updates to fix this vulnerability and avoid the attack, if the user delays the installation of the cumulative update, the user will still be attacked.

Therefore, it is recommended that users who pay attention to security, especially government and enterprise organizations, install cumulative updates as soon as possible to prevent attackers from using phishing emails to exploit this vulnerability.

The Google security team recently released a proof of concept about the font renderer vulnerability. Considering that the vulnerability has been fixed, it is no problem to release the proof of concept at this time.

The company said that in the proof-of-concept, researchers made specific fonts and embedded HTML files, and this vulnerability would be triggered when the file was loaded using a browser.

The corresponding vulnerability number is CVE-2021-24093, and the vulnerability report date is November 27, 2020. It has been 90 days since then, so Google discloses the details of the vulnerability.

If you are interested in this, you can click here to view the proof of concept. At the same time, Google has provided a special font file that allows you to test this security hole.