Remote Code execution vulnerability in Microsoft Embedded OpenType Font
Engine
http://www.cert-in.org.in/advisory/ciad-2010-01.htm
Original Issue Date: January 13, 2010
Severity Rating:High
System Affected
Microsoft Windows 2000 SP 4
Microsoft Windows XP SP 2
Microsoft Windows XP SP 3
Microsoft Windows XP Professional x64 Edition SP 2
Microsoft Windows Server 2003 SP 2
Microsoft Windows Server 2003 x64 Edition SP 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Vista, Windows Vista SP 1 and SP 2
Microsoft Windows Vista x64 Edition, SP 1 and SP 2
Microsoft Windows Server 2008 for 32-bit Systems and with SP 2
Microsoft Windows Server 2008 for x64-based Systems and with SP 2
Microsoft Windows Server 2008 for Itanium-based Systems and with SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems*
Windows Server 2008 R2 for Itanium-based Systems
Overview
A heap over flow vulnerability has been reported in Microsoft Windows
component, the Embedded Open Type ( EOT ) Font Engine.
Description
Embedded Open Type (EOT) fonts are a compact form of fonts designed for use
on Web pages. These fonts can be embedded in a document. Use of EOT fonts
ensures that a user views the document exactly as the author intended. The
Web Embedding Fonts Tool (WEFT) lets Web authors create font objects that
are linked to their Web pages so that when viewed through the browser,
pages display in the style contained in the font object.
The vulnerability is in the Microsoft Windows Embedded Open Type
(EOT) font Engine (T2EMBED.DLL) which improperly performs bounds-checking
on lengths which are decoded from the LZCOMP
(a compression algorithm) bit-stream leading to an integer overflow.
An attacker exploits this vulnerability by creating data records in .doc
file or .ppt file contains specially crafted Embedded Open Type ( EOT )
font and to open the same or persuade to view a specially crafted website.
Successful exploitation of the vulnerability could execute arbitrary code
and allow remote attacker to take the control of the vulnerable system in
the context of logged in user.

Note : The vulnerability could be exploited on Windows 2000 only.
Other Windows versions contain the vulnerable code but do not
use this code in a way that may expose the vulnerability.
Workarounds
Disable support for parsing embedded fonts in Internet Explorer
Deny Access to T2EMBED.DLL
Use caution while opening attachments or clicking links on email messages
from unknown sources
For detailed steps of these workarounds refer to Microsoft Security
Bulletin MS10-001
Note: This Bulletin replaces Microsoft Security Bulletin MS09-029
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS10-001
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx

References
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx
http://support.microsoft.com/kb/972270
http://blogs.technet.com/srd/archive/2010/01/12/ms10-001-font-
file-decompression-vulnerability.aspx
http://msdn.microsoft.com/en-us/library/ms533034.aspx
SecurityFocus
http://www.securityfocus.com/bid/37671
VUPEN
http://www.vupen.com/english/advisories/2010/0095
CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=19674
CERT-In
http://www.cert-in.org.in/vulnerability/civn-2009-86.htm
W3C
http://www.w3.org/Submission/MTX/#Theory
CVE Name
CVE-2010-0018
Disclaimer
The information provided herein is on “as is” basis, without warranty of
any kind.

Advertisements