cbcvebase.
CVE-2019-1119
published 2019-07-15

CVE-2019-1119: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
19.48%
97.0th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47092.zip
processDWrite!t2Decode
processDWrite!AdobeCFF2Snapshot
processDWrite!FontInstancer::InstanceCffTable
processDWrite!DWriteFontFace::CreateInstancedStream
processd2d1!dxc::TextConvertor::InstanceFontResources
  • Trigger path requires a user to print (to PDF, XPS, or physical/virtual printer) a webpage containing a specially crafted OpenType variable font in Microsoft Edge, invoking the Direct2D printing interface and ultimately the vulnerable AFDKO CFF2 font parsing code.
  • The vulnerability is triggered via a malicious OpenType CFF2 (variable font) file. Monitor for anomalous font parsing activity in DWrite.dll, specifically calls to AdobeCFF2Snapshot → FontInstancer::InstanceCffTable → t2Decode originating from Edge renderer processes.
  • The exploit requires the print action to be initiated by the user; monitor for Edge renderer processes spawning print-related COM calls (CXpsPrintControl::Close, CPrintManagerTemplatePrinter::endPrint) shortly after loading external font resources.
  • ·The exploit requires user interaction: the victim must explicitly trigger printing (to PDF, XPS, or a printer) of a page containing the malicious variable font. Drive-by without print action is not sufficient.
  • ·Microsoft's exploit assessment rates exploitation as 'Less Likely' for both latest and older software releases, and the vulnerability had not been publicly exploited at time of disclosure.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.