cbcvebase.
CVE-2019-1120
published 2019-07-15

CVE-2019-1120: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…

PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
16.94%
96.7th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_arm64-based_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems

Detection & IOCsextracted from sources · hover to see the quote

processDWrite!readFDSelect+0xe9
  • Crash/exploitation occurs in DWrite!readFDSelect called via DWrite!cfrBegFont -> DWrite!AdobeCFF2Snapshot -> DWrite!FontInstancer::InstanceCffTable -> DWrite!FontInstancer::CreateInstanceInternal -> DWrite!FontInstancer::CreateInstance -> DWrite!DWriteFontFace::CreateInstancedStream -> d2d1!dxc::TextConvertor::InstanceFontResources -> d2d1!dxc::CXpsPrintControl::Close. Monitor for access violations or heap-buffer-overflows in this call chain.
  • The exploit is triggered via Microsoft Edge when a user prints a page containing a specially crafted OpenType variable font (to PDF, XPS, or a printer). Alert on Edge renderer process crashes involving DWrite!readFDSelect.
  • The malicious OpenType font's FDSelect table (Format 3) contains a crafted 'next' field value of 0xffff (65535) to trigger out-of-bounds heap write. Look for OpenType fonts with FDSelect Type 3 where nRanges=0x0001, gid=0x0000, fd=0x00, next=0xffff.
  • ·The exploit requires user interaction: the victim must open a malicious webpage with an embedded OpenType variable font AND initiate a print action (to PDF, XPS, or physical printer) in Microsoft Edge. Exploitation is not drive-by without the print step.
  • ·Microsoft assessed exploitation as 'Less Likely' for both latest and older software releases at time of disclosure; the vulnerability was publicly disclosed but not observed exploited in the wild.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.