CERT-MU AD-2010-1
Remote Code execution vulnerability in Microsoft Embedded OpenType Font Engine
Original issue date: 13 January, 2010
Overview
A heap over flow vulnerability has been reported in Microsoft Windows component, the Embedded Open Type ( EOT ) Font Engine.
Description
Embedded Open Type (EOT) fonts are a compact form of fonts designed for use on Web pages. These fonts can be embedded in a document. Use of EOT fonts ensures that a user views the document exactly as the author intended. The Web Embedding Fonts Tool (WEFT) lets Web authors create font objects that are linked to their Web pages so that when viewed through the browser, pages display in the style contained in the font object.
The vulnerability is in the Microsoft Windows Embedded Open Type (EOT) font Engine (T2EMBED.DLL) which improperly performs bounds-checking on lengths which are decoded from the LZCOMP(a compression algorithm) bit-stream leading to an integer overflow.
An attacker exploits this vulnerability by creating data records in .doc file or .ppt file contains specially crafted Embedded Open Type ( EOT ) font and to open the same or persuade to view a specially crafted website.
Successful exploitation of the vulnerability could execute arbitrary code and allow remote attacker to take the control of the vulnerable system in the context of logged in user.
Note: The vulnerability could be exploited on Windows 2000 only. Other Windows versions contain the vulnerable code but do not use this code in a way that may expose the vulnerability.
Workarounds
- Disable support for parsing embedded fonts in Internet Explorer
- Deny Access to T2EMBED.DLL
- Use caution while opening attachments or clicking links on email messages from unknown sources
For detailed steps of these workarounds refer to Microsoft Security Bulletin
MS10-001
Note: This Bulletin replaces Microsoft Security Bulletin MS09-029
Software Affected
- Microsoft Windows 2000 SP 4
- Microsoft Windows XP SP 2
- Microsoft Windows XP SP 3
- Microsoft Windows XP Professional x64 Edition SP 2
- Microsoft Windows Server 2003 SP 2
- Microsoft Windows Server 2003 x64 Edition SP 2
- Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
- Microsoft Windows Vista, Windows Vista SP 1 and SP 2
- Microsoft Windows Vista x64 Edition, SP 1 and SP 2
- Microsoft Windows Server 2008 for 32-bit Systems and with SP 2
- Microsoft Windows Server 2008 for x64-based Systems and with SP 2
- Microsoft Windows Server 2008 for Itanium-based Systems and with SP2
- Windows 7 for 32-bit Systems
- Windows 7 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems*
- Windows Server 2008 R2 for Itanium-based Systems
Impact
Severity Rating: High
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS10-001
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx
CVE Name
CVE-2010-0018
References
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx
http://support.microsoft.com/kb/972270
http://blogs.technet.com/srd/archive/2010/01/12/ms10-001-font-file-decompression-vulnerability.aspx
http://msdn.microsoft.com/en-us/library/ms533034.aspx
SecurityFocus
http://www.securityfocus.com/bid/37671
VUPEN
http://www.vupen.com/english/advisories/2010/0095
CERT-In
http://www.cert-in.org.in/vulnerability/civn-2009-86.htm
W3C
http://www.w3.org/Submission/MTX/#Theory
|
