MS10-001
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx
Microsoft Severity Rating: Critical
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the way that the Embedded OpenType Font Engine decompresses specially crafted files and content containing embedded fonts.
* Microtype Express Compressed Fonts Integer Flaw in the LZCOMP Decompressor Vulnerability – CVE-2010-0018
A remote code execution vulnerability exists in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
Attackers are likely to exploit this vulnerability using client side attacks by setting up malicious web servers and distributing trojanized Office documents to targeted individuals. Attackers will focus on targets that are known to be using Windows 2000 machines. This can be done programmatically by detecting browser versions or Microsoft Office versions via web requests and then delivering the exploit to suitable targets. Successful exploitation will result in arbitrary code execution in the context of the current user. Administrators are advised to patch all versions of Windows, however Windows 2000 should be patched initially with all other versions following suit.
Recommendations
Disable support for parsing embedded fonts within Internet Explorer using the Internet Options\Security\Internet\Font Downloading options under the Tools menu item or disable execute permissions to T2EMBED.DLL using CACLS. Any application or website that requires embedded font types may be not function properly after these mitigation tactics, so administrators are advised to test applications prior to performing these actions.
blogmaster 
Posted in 
Tags: 
