Just Released! 2021 Gartner® Market Guide for MDR Services READ 
Skip to main content

CVE-2021-24093 - RCE Vulnerability in Windows 10

Executive Summary

On Tuesday, February 9, Microsoft released patches for multiple vulnerabilities as part of its monthly “Patch Tuesday Release,” including one RCE vulnerability in a Windows 10 graphics component. This vulnerability, tracked as CVE-2021-24093 was disclosed to Microsoft by security researchers at Google. Following a 90-day disclosure window that elapsed on February 24, Google made proof-of-concept (PoC) exploit code for this vulnerability publicly available on its blog.

Arctic Wolf has analyzed this PoC exploit code, and assesses with high confidence that threat actors will move quickly to weaponize this PoC to carry out attacks against Windows 10 users. Additionally, we believe that this vulnerability can be exploited in “drive-by compromises,” whereby vulnerable targets are lured to a malicious website containing hidden exploit code that requires no user interaction to execute.

Based on these factors, Arctic Wolf assesses that this vulnerability poses a high risk to organizations with unpatched Windows 10 systems.

Technical Analysis

What is the root cause of CVE-2021-24093?

This vulnerability exists in a high quality, text rendering Windows API named Microsoft DirectWrite used by major web browsers such as Chrome, FireFox, and Edge for rendering web fonts. As a result of a flaw within this component, an attacker can trigger a buffer overflow condition using a maliciously crafted custom font embedded in a website that leads to arbitrary code execution.

What would attacks exploiting CVE-2021-24093 look like?

Arctic Wolf assesses there are two highly probable attack scenarios that may exploit CVE-2021-24093.

Scenario 1: Drive-by compromise

  1. Attacker compromises a popular website
  2. Attacker maliciously crafts a “TrueType font” file
  3. Attacker modifies the HTML of the website to include the newly created font
  4. Attacker hides arbitrary commands inside the HTML tags
  5. Victim user running outdated Windows 10 lands on the compromised website
  6. The victim’s browser calls the Microsoft DirectWrite API to render the font on the website
  7. Exploit code is triggered and remote code is executed on the victim’s system

Scenario 2: Phishing E-mails

  1. Attacker creates their own website or compromises an existing one
  2. Attacker maliciously crafts a “TrueType font” file
  3. Attacker modifies the HTML of the website to include the newly created font
  4. Attacker hides arbitrary commands inside the HTML tags
  5. Attacker sends a phishing e-mail using some type of lure to one or more targets, enticing them to click on a link to their website
  6. Victim user running outdated Windows 10 visits the malicious website
  7. The victim’s browser calls the Microsoft DirectWrite API to render the font on the website
  8. Exploit code is triggered and remote code is executed on the victim’s system