The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode.
In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc.
Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing.
Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities and the attack vector on Windows 8 and Windows 7 will be shown.