CVE-2019-1128
published 2019-07-15CVE-2019-1128: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This…
PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
16.94%
96.7th percentile
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | windows_10_version_1709_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger path: a specially crafted OpenType variable font with both 'CFF ' and 'CFF2' tables embedded can reach the vulnerable AFDKO readCharset() code via dwrite!AdobeCFF2Snapshot → FontInstancer → dwrite!DWriteFontFace::CreateInstancedStream / dwrite!DWriteFactory::CreateInstancedStream ↗
- →The attack can be triggered via the Direct2D printing interface in Microsoft Edge: a user visiting a page with an embedded malicious OpenType variable font and printing it (to PDF, XPS, or a printer) will execute the vulnerable code path via d2d1!dxc::TextConvertor::InstanceFontResources ↗
- →The PoC font uses a crafted charset descriptor with specific field values to trigger the heap buffer overflow: width=0x02, id=0x4141, nLeft=0xffff. Monitor for OpenType fonts with CFF charset descriptors containing anomalously large nLeft values (e.g. 0xffff / 65535). ↗
- →The exploit technique involves appending a legacy 'CFF ' table to a variable font that already contains a 'CFF2' table. Detection opportunity: scan font files for the simultaneous presence of both 'CFF ' and 'CFF2' tables, which is abnormal and is the prerequisite for reaching the vulnerable code in DirectWrite. ↗
- →Crash/exploitation signature: heap-buffer-overflow write in addID() at cffread.c:1843, called from readCharset() at cffread.c:2187, called from cfrBegFont() at cffread.c:2789. Stack trace pattern can be used for crash triage or sandbox detonation matching. ↗
- ·The CreateInstancedStream method used to reach the vulnerable code is not a member of a public COM interface; the known reachable attack surface is via the Direct2D printing interface (e.g. Edge print-to-PDF/XPS). Other trigger paths may exist but were not confirmed. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-229f-hv2p-3mxc: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1128 [HIGH] GHSA-229f-hv2p-3mxc: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127.
GHSA
GHSA-q2ww-4p89-22gg: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1121 [HIGH] GHSA-q2ww-4p89-22gg: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-j839-xpjx-4gm7: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1120 [HIGH] GHSA-j839-xpjx-4gm7: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-34cj-gvj6-2422: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1124 [HIGH] GHSA-34cj-gvj6-2422: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-mv4v-p439-fv5j: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1123 [HIGH] GHSA-mv4v-p439-fv5j: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-4rm2-m5fr-hpg9: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1119 [HIGH] GHSA-4rm2-m5fr-hpg9: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-5559-9px3-6x8w: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1127 [HIGH] GHSA-5559-9px3-6x8w: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1128.
GHSA
GHSA-gj6q-6rxx-9w68: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1118 [HIGH] GHSA-gj6q-6rxx-9w68: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-6f96-cv22-mggm: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1117 [HIGH] GHSA-6f96-cv22-mggm: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
GHSA
GHSA-jpfm-wf34-x9vx: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2019-1122 [HIGH] GHSA-jpfm-wf34-x9vx: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerabili
A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory, aka 'DirectWrite Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128.
Microsoft
DirectWrite Remote Code Execution Vulnerability
vendor_msrc·2019-07-09·CVSS 7.8
CVE-2019-1128 [HIGH] DirectWrite Remote Code Execution Vulnerability
DirectWrite Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.
The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory.
Microsoft Graphics Component: Microsoft Graphics Component
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit St
No detection rules found.
No writeups or analysis indexed.
2019-07-15
Published