The Font Scaler engine is widely used in Microsoft Windows and Mac OS operating systems for rendering TrueType/OpenType fonts. It was first introduced in 1989. Later, to improve the performance of the Windows NT operating system, Microsoft decided to move the engine from user mode to kernel mode. This enhancement does improve the performance, but it also brings security issues. Specifically, Font Scaler engine represents a significant kernel attack surface, and it is perhaps the most easily accessible point which can be reached remotely. For example, the famous Duqu malware well demonstrated vulnerabilities in this engine in 2011.
Many things make the font engine vulnerable. Such as the complexity of font file format, the enhancement of the Font Scaler engine (i.e., moving from user mode to kernel), the assumptions about the interactions between the font engine and its clients (win32k.sys), and the existence of font cache. Among these vulnerabilities, TOCTTOU (Time-of-Check to Time-of-Use) is the most critical type.
In this talk, I'm going to discuss the basic double fetch problem. Furthermore, I would like to present the more stealthy TOCTTOU vulnerability which is introduced by the design of the font engine.