CVE-2019-1118
published 2019-07-15CVE-2019-1118: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…
PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.67%
97.5th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | windows_10_version_1709_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger path: malicious OpenType variable font embedded in a webpage, triggered when the user prints from Microsoft Edge (to PDF, XPS, or physical/virtual printer), reaching dwrite!AdobeCFF2Snapshot via d2d1!dxc::TextConvertor::InstanceFontResources → dwrite!DWriteFactory::CreateInstancedStream / dwrite!DWriteFontFace::CreateInstancedStream → FontInstancer class methods. ↗
- →The vulnerability is triggered by invoking do_blend_cube() or do_set_weight_vector_cube() in a CharString (e.g. for glyph 'A') without a preceding tx_compose instruction, causing cubeStackDepth to remain at -1 and resulting in an out-of-bounds access into cube[-1] / stack.blendArgs[92]. ↗
- →Stack corruption occurs in t2cstr.c:1057 (do_blend_cube) and t2cstr.c:992 (do_set_weight_vector_cube) when cubeStackDepth is -1, causing h->cube[-1] to overlap with _t2cCtx.stack.blendArgs[92] — potentially user-controlled stack memory. ↗
- →Monitor for calls to dwrite!AdobeCFF2Snapshot and dwrite!DWriteFactory::CreateInstancedStream / dwrite!DWriteFontFace::CreateInstancedStream during font rendering in Edge or Direct2D printing contexts as an indicator of variable font instancing code being exercised. ↗
- ·Exploitation requires the user to actively trigger Direct2D printing (e.g. print-to-PDF/XPS) from Microsoft Edge while viewing a page with a malicious embedded OpenType variable font; passive browsing alone is insufficient. ↗
- ·Microsoft assessed exploitation as 'Less Likely' for both latest and older software releases at time of disclosure; the vulnerability was publicly disclosed but not observed exploited in the wild. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-229f-hv2p-3mxc: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1128 [HIGH] GHSA-229f-hv2p-3mxc: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127.
GHSA
GHSA-q2ww-4p89-22gg: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1121 [HIGH] GHSA-q2ww-4p89-22gg: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-j839-xpjx-4gm7: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1120 [HIGH] GHSA-j839-xpjx-4gm7: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-34cj-gvj6-2422: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1124 [HIGH] GHSA-34cj-gvj6-2422: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-mv4v-p439-fv5j: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1123 [HIGH] GHSA-mv4v-p439-fv5j: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-4rm2-m5fr-hpg9: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1119 [HIGH] GHSA-4rm2-m5fr-hpg9: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-5559-9px3-6x8w: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1127 [HIGH] GHSA-5559-9px3-6x8w: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1128.
GHSA
GHSA-gj6q-6rxx-9w68: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1118 [HIGH] GHSA-gj6q-6rxx-9w68: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-6f96-cv22-mggm: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1117 [HIGH] GHSA-6f96-cv22-mggm: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-jpfm-wf34-x9vx: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1122 [HIGH] GHSA-jpfm-wf34-x9vx: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
Microsoft
DirectWrite Remote Code Execution Vulnerability
vendor_msrc·2019-07-09·CVSS 7.8
CVE-2019-1118 [HIGH] DirectWrite Remote Code Execution Vulnerability
DirectWrite Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.
The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory.
Microsoft Graphics Component: Microsoft Graphics Component
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit St
No detection rules found.
Trendmicro
December Patch Tuesday: Fixes for components, RDP
blogs_trendmicro·2019-12-11·CVSS 6.1
[MEDIUM] December Patch Tuesday: Fixes for components, RDP
Exploits & Vulnerabilities
# December Patch Tuesday: Fixes for components, RDP
Seven of the 36 fixes for this month's Patch Tuesday were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products: Windows, IE, Office, Hyper-V Server, and SQL Server, among others.
By: Trend Micro
2019/12/11
Read time: ( words)
Save to Folio
Microsoft released a total of 36 patches for December’s Patch Tuesday. Decembers tend to have a relatively low number of patches, and the last Patch Tuesday of the 2010s was no different. Seven of the 36 patches were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products, including Windows, Internet Explorer, Office, Hyper-V Server, and SQ
Trendmicro
December Patch Tuesday: Fixes for components, RDP
blogs_trendmicro·2019-12-11·CVSS 6.1
[MEDIUM] December Patch Tuesday: Fixes for components, RDP
# December Patch Tuesday: Fixes for components, RDP
Seven of the 36 fixes for this month's Patch Tuesday were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products: Windows, IE, Office, Hyper-V Server, and SQL Server, among others.
By: Trend Micro
Dec 11, 2019
Read time: ( words)
Save to Folio
Microsoft released a total of 36 patches for December’s Patch Tuesday. Decembers tend to have a relatively low number of patches, and the last Patch Tuesday of the 2010s was no different. Seven of the 36 patches were identified as Critical, 28 Important, and one Moderate. The vulnerabilities covered a wide variety of Microsoft products, including Windows, Internet Explorer, Office, Hyper-V Server, and SQL Server. None of the fixe
2019-07-15
Published