MS Patches Critical Flaw in EOT Font Engine

2010-01-12T19:00:00
ID MS-PATCHES-CRITICAL-FLAW-EOT-FONT-ENGINE-011210/73360
Type threatpost
Reporter Ryan Naraine
Modified 2013-04-17T16:38:10

Description

The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts. The update is rated “critical” but Microsoft says there is a low likelihood of exploitation on its newer operating systems.

The vulnerability, which was discovered by Google security engineer Tavis Ormandy, is a remote code execution issue in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts.

Related Posts

New Bug in Internet Explorer Used in Targeted Attacks

November 3, 2010 , 4:03 pm

Microsoft Releases Huge Patch Tuesday Update For 49 Bugs

October 12, 2010 , 5:38 pm

Microsoft Warns of Attacks Against ASP.NET Flaw

September 21, 2010 , 3:04 pm

From the MS10-001 advisory:

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Because Microsoft considers this a very difficult vulnerability to exploit on most operating systems, it is rated “critical” only for Windows 2000.

The Microsoft Security Research & Defense blog explains in more detail:

What is the issue?
t2embed.dll improperly performs
bounds-checking on lengths which are decoded from the LZCOMP
bit-stream. This made it possible for a copy loop to violate the
intended working buffer.

Is the EOT functionality reachable through 3rd party code?
Yes,
the t2embed library provides EOT functionality that can be used by 3rd
party code. Many 3rd parties import t2embed for their font rendering,
though some may choose to implement their own font rendering.

Why an Exploitability Index rating of 2?
The
Exploitability Index rating or 2 is due to the low likelihood of
successful exploitation. Hurdles exist around heap preparation and
predictability, heap data corruption, and a race condition to get an
exception handler making successful exploitation unlikely.

The company warned that malicious hacker could use rigged fonts (EOT) delivered within files hosted on Web sites that are rendered in all versions of Internet Explorer by
default.

An attacker could also use malicious office documents e-mailed to victims. In a successful attack, a user running an unpatched machine would have to be tricked into opening a document — PowerPoint or Word documents — that contains a
malformed embedded font.