Microsoft bracing for malware attacks from embedded fonts

Microsoft bracing for malware attacks from embedded fonts

Summary: It's only a matter of time before malicious hackers start exploiting a critical Windows vulnerability via booby-trapped Web pages or Office (Word or PowerPoint) documents.


Heads up to all Microsoft Windows users: If you're running Windows 2000, Windows XP or Windows Server 2003, stop what you're doing and immediately download and apply the MS09-065 update released earlier this week.

Security researchers say it's only a matter of time -- days not weeks -- before malicious hackers start exploiting one of the vulnerabilities via booby-trapped Web pages or Office (Word or PowerPoint) documents.

The specific vulnerability -- in the font parsing subsystem of the win32.sys driver -- provides an entry point for hackers to take complete control of an unpatched machine without any user action beyond normal browsing or opening a rigged document file.

A proof-of-concept exploit has already been fitted into the Metasploit point-and-click tool.  According to Metasploit's HD Moore, the code triggers a BSoD (blue screen of death) from a Web page.  With some modifications, Moore expects to get reliable code execution very soon.

Microsoft's MS09-065 bulletin says an exploit was already publicly available before the update was ready on Patch Tuesday (perhaps this one released since August?), meaning that malware authors have gotten a long head start researching entry points for attacks.

Metasploit's Moore said it was "a pretty easy bug" to find based on the description provided by Microsoft.

"This demonstrates how just plain wrong some features of Windows are," he added.

According Brian Cavenah, a researcher in Microsoft's security response team, the company expects to see reliable exploit code publicly available within 30 days.

On the SR&D blog, Cavenah outlines the severity of this issue:

The severity rating of critical was chosen since the vulnerable code is exposed through Internet Explorer and can be exercised without user interaction/notification.

Here are the worst-case attack vectors that result in remote code execution without authentication:

  • Malicious fonts (TTF’s) delivered within .eot files hosted on malicious web sites which are rendered in all versions of Internet Explorer by default.
  • Malicious office documents e-mailed to victims with social engineering to entice the victim to open the document which contains a malformed embedded font which would then be rendered upon opening the Office document (PowerPoint and Word documents are the most likely attack vectors).

There are also some local attack vectors (worst case scenario is Local Elevation of Privilege):

  • Malicious fonts (TTF’s) delivered to win32k.sys by an authenticated user in a multi-user environment (Terminal Services (TS)) scenario. Such scenarios might abuse AddFontResource() to achieve this.

The best protection from likely attacks is for all affected users to download and apply the patch.

Alternatively, affected Windows uers can disable support for parsing/loading embedded fonts in Internet Explorer (warning: Web sites which make use of embedded font technology will not render properly).

This can be done via IE's Tools > Internet Options > Security settings:

* Images via Microsoft's SR&D blog and the Wikipedia entry for Embedded OpenType Font.

Topics: Browser, Malware, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not too worried here......

    Been using group policy for a long time with font downloads always being disabled for all users on my network. I am patching no doubt, but much less concerned knowing I have always had this blocked.
    • You should have blocked the power outlet too...

      and make sure no windows machine is allowed to boot.
      The Mentalist
      • No Glass around here

        We are Glass I mean Windows free, this is for the
        'point & click' virus fiasco.
        • Windows are important...

          they allow the light of the sun to enter you home...

          oh wait you ment Windows, the OS... but every OS have flaws and problems... it's statistically impossible for a software of that size to be error/flaw free
          • Wrong.....

            Linux and Mac never get updates, they are prestine from the get go. I mean lets go look at their stats.

            Sorry guys just looked at the stats, man I was way off base they do have updates and alot of them too. For a minute there they had me fooled. Funny thing is is that Mac is blowing everyone out of the water with security patches, go figure of all the OS's.
          • Right

            Every OS has flaws.

            It's just that on a scale of Windows to perfect,
            not every OS scores a "Windows".
      • You should have blocked the power outlet too.

      • Not enough

        Windows is vulnerability even after being
        unplugged from the outlet!
  • Is anyone surprised?

    Hmm, just as I thought.
    The Mentalist
    • Not at all -3. I knew you'd show up and start trolling.

      Not surprised at all.
      Hallowed are the Ori
    • Nobody is surprised

      Windows and MS Software are the most fuzzed pieces of software on the planet. Hundreds if not thousands of people do nothing but fuzz MS software all day, every day... 24/7

      Windows has one of the largest code bases in history. Bugs happen. It is only a matter of time before someone finds a hole. I am sure that if OSS software was fuzzed as much as MS there would be plenty of bugs and holes to be found.
      Duke E. Love
      • Bugs and Holes

        There are plenty of bugs and holes in OSX and Linux as well. The only surprising thing is that OSX and Linux systems aren't crawling with viruses, based on the number of vulnerabilities found and patched with every patch cycle, and the only reason I can think of that they aren't is they haven't reached a level of market share in order to make them profitable (although there IS a network of zombie OSX macs out there.)

        Take a look at the history of PWN2OWN, or even a look at the patch list for the various systems. Or take a look at the software/hardware compatability problems after each software patch release. EVERY operating system has vulnerabilities. And the biggest vulnerability is between the keyboard and the chair.

        If OSX and/or Linux were bug free there would be no need to update the systems, ever. The only updates you would ever have would be upgrading to a new and better version of the operating system. And those newer and better versions would be exponentially better than the previous because the programmers would be able to dedicate 100% of their time to improvements, instead of on bug and vulnerability patches.

        Linux's salvation is that (A) It has a relatively low number of users, and (B) the vast majority of it's users are, by sheer necessity, extremely tech savy and knowledgable about the workings of the OS itself. OSX is primarily market share, as most OSX users aren't really that tech savvy (maybe more tech savvy than the average Windows user, but less than the average Linux user. I know of at least one dyed in the wool Mac graphix office who still swears that you can't run PhotoShop on a PC.)

        And even if Mac market share exceeds PC market share eventually (which may be difficult considering the number of Macs that end up with Windows installed), the PC will still be the largest target for a while simply because of the number of malware "development kits" available that make it simple enough that even a child can develop a virus, worm, or trojan via a point and click interface.
        • Holes and bugs...

          [i]"(although there IS a network of zombie OSX macs out there.)"[/i]
          Accepted -- consisting of 15,000 machines -- a mere 0.2% of the
          total number of Macs.
          Compare that to the 15% of Windows machines world wide that carry
          Conficker or some other botnet.

          While I don't disagree that every OS has it's holes and bugs, Windows
          is by far the one most attacked, receiving thousands of new exploits
          or variants of old ones every week compared to maybe five or ten
          attacks per year against Linux and OS X. Yes, if either one manages to
          crack some hypothetical breakover point, maybe the attacks will
          increase. But at least for now, the low number of attacks alone gives
          the perception that they are more secure.
          • According to Wikipedia there are...

            ...between 9 million and 15 million PCs infected by Conficker as of January 2009 (yes, this is dated so if you have other numbers feel free to present them). Using the 15 million number and one billion Windows systems that represents 1.5% of PCs were infected at the time. Certainly not 15% as you state.

            Wikipedia also states 30% of PCs had not yet been patched by January 2009. Given this level of unpatched PCs I think it's quite good that only 1.5% of PCs are infected.

            [i]While I don't disagree that every OS has it's holes and bugs, Windows is by far the one most attacked...[/i]

            Of course it is. It has the largest market share. The 1.5% infection rate for Conficker is 75% of the Macintosh market share (assuming 20 million). Let's assume for the sake of argument OS X is more secure than Windows. Thus the infection rate would have to be less than 1.5%. Let's assume 1%. That means 200,000 Macs would be infected for the same effort as 15 million PCs. You can run a similar analysis for Linux. It's easy to see why Windows is the most attacked OS.
          • Oh Ye of the tired old argument about "marketshare"

            Windows is attacked morte because it's inherently insecure.

            Consider Fort Knox. Fort Knox is 'impregnable', because it was designed, from the get go, to be secure.

            According to Ye, if we start building lots of Fort Knox's, the "impregnability" starts falling in direct relation to the number of Fort Knox's built. By the time we've built 100000000 Fort Knox's, according to Ye's addled thinking, they're getting broken in to several times a day. Because the more of them there are, the more insecure they are.

            What utter, MS PR drivel.

            Windows is insecure because it was designed, from the get go, as a single user system not connected to a network.

            On top of this single user system, Microsoft, in their haste to crush Netscape, deliberately integrated (co-mingled) IE web browser code with low-level OS code. This violation of the most basic software engineering principles allowed Microsoft to go into a court room and claim that the reason they HAD to give every Windows user IE, was because IE was a part of the OS, Windows could not work without it, IE could not be un-installed and isn't it great that we just "Knifed the baby" / "Cut off Netscape's air supply".

            It was downhill all the way from then on. Billions of $$$ lost to down time and trashed systems as an endless series of macro viruses, exe viruses, trojans and worms assaulted WIndows PCs again and again and again and agian.

            And on top of that homogenous mess of browser code co-mingles with OS code, go the patches. Patches on top of the patches patching the patches that patched the patched patches, patch, patch, patch, a wonderful, Windows inspired roundabout of "Get a WIndows virus, lose tyour work, apply a patch, get a WIndows virus, lose your work, patch, get a WIndows worm, apply a patch, get a WIndows trojan, patch"

            That's why Windows gets slammed so often. It's a single user system, with deliberately compromised engineering, groaning under the accumulated weight of about 10 years of "after the fact" patching. But in the Microsoft "ecosystem", the fact that Netscape were crushed meant that the Windows monopoly couild continue making sure that Microsoft substandard engineering was the only engineering a buyer in PC world ever saw.

            If Windows was secure, then it wouldn't matter how large the installed base was. Just like Fort Knox.
          • I know you're tired of the truth.

            [i]Oh Ye of the tired old argument about "marketshare"[/i]

            Just because you're tired of it and don't like it doesn't make it any less true.

            [i]Windows is attacked morte because it's inherently insecure.[/i]

            So I keep hearing. And in all the years I've been asking for details on how it's inherently insecure I never have received an answer. So I ask again: How? Will I get an answer this time? Doubtful.
          • Windows Lite

            I used to run this (W98) as it did NOT contain IE. Ran Netscape instead and had no problems.
          • Well Said

            Thanks for the clear comment.
          • Netscape?

            Netscape was crushed because it was a sh!tty browser.

            IE 4 flat out beat NS at it's own game. IE won by being a better browser.

            Now, IE 5 and 6 is another story, Once IE had 95% market share MS screwed up royally. They thought they owned the market and thought they owned standards. That cam back to bite them in the ass when FF came to age. IE 6 is horrible. But IE 8 is a great browser from a developers standpoint. It just works.

            But I digest....

            Make no mistake NS died because it SUCKED. MS make a better product.
            Duke E. Love
          • Boot leg PC's that can't get patched?

            Say in china?
            Duke E. Love