Critical TrueType Font Parsing Vulnerabilities Addressed in Patch Tuesday Updates

Microsoft’s July Patch Tuesday security bulletins patch numerous critical vulnerabilities, including some related to malicious TrueType Font files used in a number of high-profile targeted attacks.

Going all the way back to the Duqu attacks, font-parsing vulnerabilities and exploits have been symptomatic of some high-end espionage attacks targeting the Windows kernel. As a result, with hackers paying more attention to the core of the Windows OS, this year Microsoft has had to address a number of kernel-related vulnerabilities in its monthly Patch Tuesday security updates. Today is no exception.

Of the seven security bulletins and patches for 34 vulnerabilities released today, three of the bulletins address a font-parsing issue that can lead to kernel compromises and remote code execution.

In addition to its regular spate of security patches, Microsoft also announced a policy change to its app store requiring developers to provide timely security updates for vulnerable apps purchased and downloaded from any of its marketplaces, especially those vulnerabilities being exploited in the wild.

As for this month’s patches, experts recommend patching MS13-053 immediately. The bulletin is rated critical and addresses eight vulnerabilities, including a remote-code execution flaw related to improper processing of TrueType font files. This vulnerability, CVE-2013-3129, is noted in three bulletins this month and it affects every flavor of Windows going back to XP and including Windows 8 and RT. The bulletin also patches memory allocation, information disclosure, buffer overflow and deference vulnerabilities.

“Three advisories are being released to address TTF parsing issues which could be used in drive-by-downloads or other attacks leading code execution,” said Craig Young, a Tripwire security researcher. “One such vulnerability is particularly bad as it exists within kernel-space and can allow code execution in the SYSTEM context.”

MS13-053 also includes the vulnerability disclosed by Google researcher Tavis Ormandy, described in CVE-2013-3660. Microsoft called the Win32k Read AV vulnerability “theoretical” in its advisory and said an attacker would need physical access to the machine and log in to the system in order to exploit the vulnerability and gain elevated privileges.

Ormandy published details on the vulnerability more than a month ago on the Full Disclosure mailing list and solicited help in developing his exploit, which he said was ready within a week. Exploit modules were also quickly developed for Metasploit and other pen-testing platforms.

Exploits are also publicly available for MS13-052 which addresses seven vulnerabilities in Microsoft .NET framework and Microsoft Silverlight. The bulletin is rated critical for .NET 2.0 SP 2, .NET SP 3, .NET 3.5, 3.5.1, 4 and 4.5 as well as Silverlight 5. The TrueType Font files vulnerability is also addressed in this bulletin, Microsoft said, adding that applications that particular code patterns are susceptible to exploit.

“The most severe of these vulnerabilities could allow remote code execution if a trusted application uses a particular pattern of code,” Microsoft said in its advisory. “An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.”

Microsoft also released another cumulative update for Internet Explorer this month in MS13-055, coming on the heels of a similar update last month and several in previous Patch Tuesday releases. The update patches 17 vulnerabilities in the browser, most of which enable remote code execution upon visiting a hacked webpage. IE 6-10 are affected, Microsoft said, and the vulnerabilities lie in the way IE handles object in memory leading to memory corruption. A Shift JIS character encoding vulnerability is also addressed.

“Since several of the vulnerabilities have an exploitation index of ‘1,’ indicating that the development of an exploit is well within the capabilities of attacks teams, it is worth addressing as quickly as possible,” said Qualys CTO Wolfgang Kandek.

The remaining bulletins include:

  • MS13-054 is a critical remote code execution vulnerability in GDI+ in Microsoft Windows, Office, Lync and Visual Studio which could be exploited by sharing or viewing content that includes malicious embedded TrueType Font files.
  • MS13-056 patches one critical vulnerability in Windows DirectShow which is used to display image files. A malicious image file could enable remote code execution and privilege escalation.
  • MS13-057 addresses a critical remote-code execution vulnerability in Windows Media Format Runtime. Users opening a malicious media file could be exploited.
  • MS13-058 patches a privilege elevation vulnerability due to the pathnames used by Windows Defender for Windows 7 and Windows Server 2008 R2.

Windows Store Policy Change

Microsoft also instituted a policy change for developers writing applications sold and/or downloaded from the Windows Store, Windows Phone Store, Office Store and Azure Marketplace that requires developers to patch security vulnerabilities within 180 days for apps not under active attack.

“This assumes the app is not currently being exploited in the wild,” said Dustin Childs, group manager Microsoft Trustworthy Computing. “In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.”

The policy states: “The updated app must be submitted to the store within 180 days of the first report that reproduces the issue,” the policy states. “Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.”

Microsoft said no patches have come close to exceeding this deadline to date.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.