Skip to main content

Windows 10 PCs can crash from this single character — update right now

blue screen of death
(Image credit: Shutterstock)

If you haven't yet applied Microsoft's latest Windows security updates, you need to do so now. That's because the updates fix a flaw that could crash or hack Windows 10 with a single character displayed in a web page.

We'll spare you the technical details of how this works — you can read all about it in this Google Project Zero forum post — but an attack would involve a maliciously crafted TrueType font embedded in a web page. 

A visitor to the page would have to click "OK" to view (and therefore download) the malicious font, but it's not too hard to trick people into doing things online.

A successful attack would crash a PC running any version of Windows 10, as long as the machine hasn't installed the Feb. 9 patches. Windows 8.1, the only other version of Windows that Microsoft still supports, doesn't seem to be affected.

If you'd like to try out the attack yourself, Google Project Zero lets you download a proof-of-concept malicious font and a web page to display it here. The attack should work in the Google Chrome, Microsoft Edge and Mozilla Firefox browsers if the PC hasn't recently been updated. Try this at your own risk.

We tried out the proof-of-concept ourselves and just saw a fuzzy version of the "Æ" character you may remember from studying "Beowulf" in school. But our computer has installed this month's Microsoft updates.

As far as we know, there are no reports of this flaw being used in real-life attacks. That may change now that the secret is out.

Google's Dominik Röttsches and Mateusz Jurczyk found the flaw last November and gave Microsoft 90 days to fix it.

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.