MS Patches Critical Flaw in EOT Font Engine

The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts.  The update is rated “critical” but Microsoft says there is a low likelihood of exploitation on its newer operating systems.

The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts.  The update is rated “critical” but Microsoft says there is a low likelihood of exploitation on its newer operating systems.

The vulnerability, which was discovered by Google security engineer Tavis Ormandy, is a remote code execution issue in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts.

From the MS10-001 advisory:

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Because Microsoft considers this a very difficult vulnerability to exploit on most operating systems, it is rated “critical” only for Windows 2000.

The Microsoft Security Research & Defense blog explains in more detail:

What is the issue?
t2embed.dll improperly performs
bounds-checking on lengths which are decoded from the LZCOMP
bit-stream. This made it possible for a copy loop to violate the
intended working buffer.

Is the EOT functionality reachable through 3rd party code?
Yes,
the t2embed library provides EOT functionality that can be used by 3rd
party code.  Many 3rd parties import t2embed for their font rendering,
though some may choose to implement their own font rendering.

Why an Exploitability Index rating of 2?
The
Exploitability Index rating or 2 is due to the low likelihood of
successful exploitation. Hurdles exist around heap preparation and
predictability, heap data corruption, and a race condition to get an
exception handler making successful exploitation unlikely.

The company warned that malicious hacker could use rigged fonts (EOT) delivered within files hosted on Web sites that are rendered in all versions of Internet Explorer by
default.

An attacker could also use malicious office documents e-mailed to victims.  In a successful attack, a user running an unpatched machine would have to be tricked into opening a document — PowerPoint or Word documents — that contains a
malformed embedded font.

Suggested articles

New Bug in Internet Explorer Used in Targeted Attacks

There’s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.

Microsoft Releases Huge Patch Tuesday Update For 49 Bugs

Microsoft has released its largest-ever bundle of patches, pushing out 16 updates that fix a total of 49 individual vulnerabilities. The patches include updates for six critical vulnerabilities, most notably a huge fix for some remote code-execution bugs in various versions of Internet Explorer.

Microsoft Warns of Attacks Against ASP.NET Flaw

Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle vulnerability in ASP.NET and is encouraging them to implement a workaround that will help protect against the publicly disclosed exploit for the bug.