1 Replies - 519 Views - Last Post: 01 August 2015 - 07:32 AM

#1 The Chief  Icon User is offline

  • D.I.C Head

Reputation: 4
  • View blog
  • Posts: 123
  • Joined: 12-November 14

Windows TrueType font

Posted 31 July 2015 - 05:24 PM

I heard recently about a pretty major windows exploit that allowed malicious code to be embedded within a TrueType font which allowed the attacker to gain access to the targeted machine. I'm not really interested in learning how to code exploits, I'm still learning the basics of general programming but I do have some questions.

How the hell do people find these exploits in the first place? Some of the ones I've read are just so strange, like the .LNK exploit. I mean seriously how would you even go about trying to look for these sorts of exploits? I've used windows for the last 15 years and I've never made the computer do something it wasn't meant to.

The only way I imagine it would be possible to find exploits in a piece of software is to see the source code and visually seeing where something could go wrong.

But as I said some of these exploits are just so darn random. Even if you find something that you think could be exploited you've then got to write the code for it, essentially blindfolded because you can't see the code "on the other side".

It must take some serious knowledge and a wide range of skills to find exploits and then actually exploit them.

The only exploit I ever found in my entire life was in an MMO and it was a duping exploit, fill up your inventory and then split a stack and because half the stack had no space to go to it would create 99 of those items, for some reason.

Sorry for rant, thanks for reading.

Windows TrueType Font Exploit
http://www.cve.mitre...e=CVE-2014-4148
http://www.scmagazin...article/377226/

Windows .LNK exploit
http://www.cve.mitre...e=CVE-2010-2568

This post has been edited by The Chief: 31 July 2015 - 05:33 PM


Is This A Good Question/Topic? 0
  • +

Replies To: Windows TrueType font

#2 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5887
  • View blog
  • Posts: 20,095
  • Joined: 05-May 12

Re: Windows TrueType font

Posted 01 August 2015 - 07:32 AM

Remember that not all of us need source code to debug a system. Some people are quite adept at debugging assembly. The ones that really impressed me are those who can debug code watching oscilloscopes (like for some of the hardware hacks on consoles).
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1