Remote Code execution vulnerability in Microsoft Embedded OpenType Font
Original Issue Date: January 13, 2010
Microsoft Windows 2000 SP 4
Microsoft Windows XP SP 2
Microsoft Windows XP SP 3
Microsoft Windows XP Professional x64 Edition SP 2
Microsoft Windows Server 2003 SP 2
Microsoft Windows Server 2003 x64 Edition SP 2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Vista, Windows Vista SP 1 and SP 2
Microsoft Windows Vista x64 Edition, SP 1 and SP 2
Microsoft Windows Server 2008 for 32-bit Systems and with SP 2
Microsoft Windows Server 2008 for x64-based Systems and with SP 2
Microsoft Windows Server 2008 for Itanium-based Systems and with SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems*
Windows Server 2008 R2 for Itanium-based Systems
A heap over flow vulnerability has been reported in Microsoft Windows
component, the Embedded Open Type ( EOT ) Font Engine.
Embedded Open Type (EOT) fonts are a compact form of fonts designed for use
on Web pages. These fonts can be embedded in a document. Use of EOT fonts
ensures that a user views the document exactly as the author intended. The
Web Embedding Fonts Tool (WEFT) lets Web authors create font objects that
are linked to their Web pages so that when viewed through the browser,
pages display in the style contained in the font object.
The vulnerability is in the Microsoft Windows Embedded Open Type
(EOT) font Engine (T2EMBED.DLL) which improperly performs bounds-checking
on lengths which are decoded from the LZCOMP
(a compression algorithm) bit-stream leading to an integer overflow.
An attacker exploits this vulnerability by creating data records in .doc
file or .ppt file contains specially crafted Embedded Open Type ( EOT )
font and to open the same or persuade to view a specially crafted website.
Successful exploitation of the vulnerability could execute arbitrary code
and allow remote attacker to take the control of the vulnerable system in
the context of logged in user.
Note : The vulnerability could be exploited on Windows 2000 only.
Other Windows versions contain the vulnerable code but do not
use this code in a way that may expose the vulnerability.
Disable support for parsing embedded fonts in Internet Explorer
Deny Access to T2EMBED.DLL
Use caution while opening attachments or clicking links on email messages
from unknown sources
For detailed steps of these workarounds refer to Microsoft Security
Note: This Bulletin replaces Microsoft Security Bulletin MS09-029
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
The information provided herein is on “as is” basis, without warranty of