There is an out-of-cycle Microsoft Security Advisory concerning serious exploits that can be carried out against a vulnerability in the handling of TrueType Fonts at the operating-system level.
One avenue of attack consists of documents that have embedded TrueType fonts that have been crafted to accomplish the exploit. The particular embedding technique (Embedded OpenType (EOT)) is used in HTML pages. It seems necessary to presume that other use of TrueType fonts injected from unknown sources provide avenues. The knowledge base (KB) article that provides one mitigation is at <http://support.microsoft.com/kb/2639658>. The advisory and further information on EOT are found by following links on that page. Following is an amended note that I published on [libreoffice-users], on the same subject, where this exploit was already being discussed. (I had not dug into EOT at the time that I wrote the following.) -----Original Message----- From: Dennis E. Hamilton [mailto:[email protected]] Sent: Saturday, November 05, 2011 11:19 To: '[email protected]' Subject: RE: [libreoffice-users] MS font exploit There are two microsoft.com pages that relate to this situation. The problem is that the exploit happens against the kernel (in GDI, etc.) so there is not much to do about it in any applications. The knowledge-base KB article is the most helpful in terms of mitigation. Any application that handles its own TrueType font handling by other than the Windows call that accomplish font handling and rendering need to look to see if they have any vulnerability in their parser. This also applies to any non-Windows support for TrueType fonts that run on the same architectures as Windows. There's not enough public information to know what to look for. I expect that there is cross-platform cooperation at the security-team levels on this one. Meanwhile, the only remedy at the moment is to apply the workarounds that apply to Windows. Here is what I can discern from the sketchy information: 1. The exploit requires a specially-crafted TrueType Font package. 2. The vulnerability is exploited when such a font is parsed as part of rendering of any presentation using the Windows internal support TrueType fonts. 3. There is a fix available at the knowledge base article. It *appears* in my non-expert reading to prevent use of the intrinsic support for embedded fonts, since this a potentially-appealing avenue of attack via specially-crafted documents. Fixes to close that door, and to reopen it later, are available at the KB article. [Added: The embedding case appears to be one related to HTML font embedding. It is unclear what other embedding cases apply, if any.] I suspect that the workaround has no impact on LO and OO.o operability, although I guess the thing to do is turn on the workaround and see for sure. I'm going to do that as soon as I do some system backups first. - Dennis E. Hamilton tools for document interoperability, <http://nfoWorks.org/> [email protected] gsm: +1-206-779-9430 @orcmid
smime.p7s
Description: S/MIME cryptographic signature
