MS Patch Tuesday: Another critical font engine vulnerability

The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts.
Written by Ryan Naraine, Contributor

The first Microsoft patch for 2010 is out, providing cover for a solitary vulnerability in the way Windows handles EOT (Embedded OpenType) fonts.

The update is rated "critical" but Microsoft says there is a low likelihood of exploitation on its newer operating systems.

The vulnerability, which was discovered by Google security engineer Tavis Ormandy, is a remote code execution issue in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts.

From the MS10-001 advisory:

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Because Microsoft considers this a very difficult vulnerability to exploit on most operating systems, it is rated "critical" only for Windows 2000.

However, it's important to note that Windows XP, Windows Vista and Windows 7 are all affected by this flaw.

The Microsoft Security Research & Defense blog explains in more detail:

What is the issue? t2embed.dll improperly performs bounds-checking on lengths which are decoded from the LZCOMP bit-stream. This made it possible for a copy loop to violate the intended working buffer.

Is the EOT functionality reachable through 3rd party code? Yes, the t2embed library provides EOT functionality that can be used by 3rd party code.  Many 3rd parties import t2embed for their font rendering, though some may choose to implement their own font rendering.

Why an Exploitability Index rating of 2? The Exploitability Index rating or 2 is due to the low likelihood of successful exploitation. Hurdles exist around heap preparation and predictability, heap data corruption, and a race condition to get an exception handler making successful exploitation unlikely.

The company warned that malicious hacker could use rigged fonts (EOT) delivered within files hosted on Web sites that are rendered in all versions of Internet Explorer by default.

An attacker could also use malicious office documents e-mailed to victims.  In a successful attack, a user running an unpatched machine would have to be tricked into opening a document -- PowerPoint or Word documents -- that contains a malformed embedded font.

Editorial standards