Single Character Could Crash Windows PC

John Lister's picture

A single character from ancient English could crash a Windows 10 PC, thanks to an odd security glitch. It's been patched in the most recent Windows updates, making it an important fix for those who download updates manually.

The bug appears to work in most major browsers and involves the Æ symbol. If that isn't clear on your device, it's the symbol that looks like a capital A in italics squashed into a capital E.

The symbol, sometimes called "ash" in English, has been used to designate specific sounds in several language over the past few thousand years. In old English it was a sound midway between "a" and "e", somewhat similar to the "a" in the way modern English pronounces "cat". Perhaps its most common appearance today is in the word daemon in the His Dark Materials books.

Font Request Triggers Glitch

The bug, discovered by Dominik Röttsches of Google and Mateusz Jurczyk of Google Project Zero, is to do with the way browsers access Windows when following instructions to display the symbol in particular fonts. (Source: chromium.org)

If used in a real attack, it would mean a specially crafted website asked users to click OK to view the page in a specific font, which would be enough to trigger the glitch. (Source: tomsguide.com)

In very simplified terms, the bug writes data outside of the expected area of the computer's memory that is normally protected by the operating system. At best this can cause the computer to crash completely. At worst it could allow an attacker to access and alter another part of the computer's operations.

Bug Kept Under Wraps

The researchers who discovered the bug told Microsoft about in in late November. Under Google's disclosure policy, they waited 90 days before going public.

As part of the disclosure, the researchers created a sample font and webpage that demonstrate the resulting computer crash. Naturally this is very much one for serious tech nerds only and not something the average user should try.

It doesn't appear any real hackers became aware of the glitch and tried to exploit it. As always with such disclosures, attackers may now give it a go in the hope of scamming users who haven't applied the security updates.

What's Your Opinion?

Have you ever seen a browser message asking to install a font? Do you think you'd click "Yes" if you saw it? How long should security researchers wait before making bug discoveries public?

Rate this article: 
Average: 5 (8 votes)

Comments

ifopackets_10683's picture

I reject all browser requests that want something until I figure out "why"...
I really don't see any, which is a good thing I guess.

A funny note about your WEB page which showed me the buggy font letter (so to speak)
in my browser correctly. OTOH,
(It was a question mark in a diagonal black box in my WEBmail program.)

I think for a few "others" that might have been like the podcasters that say Alexa
and wind up ordering soap or something for a thousand listeners.
Wonder how many unpatched computers it crashed? Grin.