Windows 10 PCs can crash from this single character — update right now
Malformed font could bring down the whole house of cards
If you haven't yet applied Microsoft's latest Windows security updates, you need to do so now. That's because the updates fix a flaw that could crash or hack Windows 10 with a single character displayed in a web page.
We'll spare you the technical details of how this works — you can read all about it in this Google Project Zero forum post — but an attack would involve a maliciously crafted TrueType font embedded in a web page.
- Look out! This short Windows 10 command can trash your hard drive
- The best antivirus programs to protect your PC
- Plus: I switched to iPhone after 10 years on Android — here's what happened
A visitor to the page would have to click "OK" to view (and therefore download) the malicious font, but it's not too hard to trick people into doing things online.
A successful attack would crash a PC running any version of Windows 10, as long as the machine hasn't installed the Feb. 9 patches. Windows 8.1, the only other version of Windows that Microsoft still supports, doesn't seem to be affected.
If you'd like to try out the attack yourself, Google Project Zero lets you download a proof-of-concept malicious font and a web page to display it here. The attack should work in the Google Chrome, Microsoft Edge and Mozilla Firefox browsers if the PC hasn't recently been updated. Try this at your own risk.
We tried out the proof-of-concept ourselves and just saw a fuzzy version of the "Æ" character you may remember from studying "Beowulf" in school. But our computer has installed this month's Microsoft updates.
As far as we know, there are no reports of this flaw being used in real-life attacks. That may change now that the secret is out.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Google's Dominik Röttsches and Mateusz Jurczyk found the flaw last November and gave Microsoft 90 days to fix it.
- More: These are the best VPN services worth considering
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.