[SingCERT] Advisory on Critical Microsoft Graphics Component Vulnerabilities
13 April 2018
Microsoft has announced the release of several security patches to address vulnerabilities affecting its Operating System and other products. Five of these vulnerabilities with a severity rating of critical in Windows Graphics Component (CVE-2018-1010, CVE-2018-1012, CVE-2018-1013, CVE-2018-1015, CVE-2018-1016) could allow an attacker to hack a user's computer by tricking the user to visit a malicious website. These vulnerabilities exist due to improper handling of specially crafted embedded fonts by the Windows font library. Attackers could take advantage of these vulnerabilities that require no special privileges or user interaction to gain full control of the system, including creating new user accounts or even Remote Code Execution (RCE).
An attacker can exploit these issues by tricking an unsuspecting user to open a specially crafted malicious file sent through email or a website with the malicious font by clicking on a link in an email or through an instant message. These files or links, if opened by the user, would execute arbitrary code on the user's system and hand over control of the affected system to the attacker.