< BACK TO BLOG

CVE-2021-24093 – RCE Vulnerability in Windows 10

Share :

Executive Summary

On Tuesday, February 9, Microsoft released patches for multiple vulnerabilities as part of its monthly “Patch Tuesday Release,” including one RCE vulnerability in a Windows 10 graphics component. This vulnerability, tracked as CVE-2021-24093 was disclosed to Microsoft by security researchers at Google. Following a 90-day disclosure window that elapsed on February 24, Google made proof-of-concept (PoC) exploit code for this vulnerability publicly available on its blog.

Arctic Wolf has analyzed this PoC exploit code, and assesses with high confidence that threat actors will move quickly to weaponize this PoC to carry out attacks against Windows 10 users. Additionally, we believe that this vulnerability can be exploited in “drive-by compromises,” whereby vulnerable targets are lured to a malicious website containing hidden exploit code that requires no user interaction to execute.

Based on these factors, Arctic Wolf assesses that this vulnerability poses a high risk to organizations with unpatched Windows 10 systems.

Technical Analysis

What is the root cause of CVE-2021-24093?

This vulnerability exists in a high quality, text rendering Windows API named Microsoft DirectWrite used by major web browsers such as Chrome, FireFox, and Edge for rendering web fonts. As a result of a flaw within this component, an attacker can trigger a buffer overflow condition using a maliciously crafted custom font embedded in a website that leads to arbitrary code execution.

What would attacks exploiting CVE-2021-24093 look like?

Arctic Wolf assesses there are two highly probable attack scenarios that may exploit CVE-2021-24093.

Scenario 1: Drive-by compromise

  1. Attacker compromises a popular website
  2. Attacker maliciously crafts a “TrueType font” file
  3. Attacker modifies the HTML of the website to include the newly created font
  4. Attacker hides arbitrary commands inside the HTML tags
  5. Victim user running outdated Windows 10 lands on the compromised website
  6. The victim’s browser calls the Microsoft DirectWrite API to render the font on the website
  7. Exploit code is triggered and remote code is executed on the victim’s system

Scenario 2: Phishing E-mails

  1. Attacker creates their own website or compromises an existing one
  2. Attacker maliciously crafts a “TrueType font” file
  3. Attacker modifies the HTML of the website to include the newly created font
  4. Attacker hides arbitrary commands inside the HTML tags
  5. Attacker sends a phishing e-mail using some type of lure to one or more targets, enticing them to click on a link to their website
  6. Victim user running outdated Windows 10 visits the malicious website
  7. The victim’s browser calls the Microsoft DirectWrite API to render the font on the website
  8. Exploit code is triggered and remote code is executed on the victim’s system
Picture of Adrian Korn

Adrian Korn

Adrian Korn is a seasoned cyber security professional with 7+ years' experience in cyber threat intelligence, threat detection, and security operations. He currently serves as the Manager of Threat Intelligence Research at Arctic Wolf Labs. Adrian has been a guest speaker on intelligence related topics at numerous conferences around the world, including DEF CON's Recon Village, Hackfest, and the Australian OSINT Symposium.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter

Continue Reading