CVE-2019-1411

Vulnerability

An information disclosure vulnerability exists in the DirectWrite library included with Microsoft Windows, specifically within the parsing of font files. The issue results from the lack of proper validation of user-supplied data, which can lead to an out-of-bounds read past the end of an allocated buffer [1]. This CVE is unique from CVE-2019-1432 [1]. The vulnerability affects all supported versions of Windows at the time of disclosure, including Windows 7, Windows 8.1, Windows 10, and Windows Server 2008 through 2019 [1].

Exploitation

Exploitation requires user interaction: the target must visit a malicious webpage or open a specially crafted font file [1]. An attacker can serve the malicious file via email or a compromised website. The vulnerability can be triggered when DirectWrite processes the crafted font, causing a read of memory beyond the allocated buffer boundary. No special privileges or authentication are needed beyond the user interaction [1].

Impact

A successful read past the end of the buffer can leak sensitive memory contents, such as cryptographic keys, passwords, or other confidential data present in the process address space [1]. The CVSS score is 3.3 (low) with confidentiality impact limited to partial disclosure [1]. The disclosure could be used as an information-gathering step in a larger attack chain, possibly enabling code execution if combined with another vulnerability [1].

Mitigation

Microsoft released a security update on November 12, 2019, as part of the monthly Patch Tuesday rollout [1]. All users should apply the cumulative update for their Windows version. No workaround is available; the fix addresses the out-of-bounds read by adding proper input validation in the DirectWrite font parser. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.