On Sat, Nov 5, 2011 at 2:41 PM, Dennis E. Hamilton <[email protected]> wrote: > There is an out-of-cycle Microsoft Security Advisory concerning serious > exploits that can be carried out against a vulnerability in the handling of > TrueType Fonts at the operating-system level. >
Bug in MS Windows. Not in OOo. Linux users can continue to sleep soundly. -Rob > One avenue of attack consists of documents that have embedded TrueType fonts > that have been crafted to accomplish the exploit. The particular embedding > technique (Embedded OpenType (EOT)) is used in HTML pages. It seems necessary > to presume that other use of TrueType fonts injected from unknown sources > provide avenues. > > The knowledge base (KB) article that provides one mitigation is at > <http://support.microsoft.com/kb/2639658>. > > The advisory and further information on EOT are found by following links on > that page. > > Following is an amended note that I published on [libreoffice-users], on the > same subject, where this exploit was already being discussed. (I had not dug > into EOT at the time that I wrote the following.) > > -----Original Message----- > From: Dennis E. Hamilton [mailto:[email protected]] > Sent: Saturday, November 05, 2011 11:19 > To: '[email protected]' > Subject: RE: [libreoffice-users] MS font exploit > > > There are two microsoft.com pages that relate to this situation. The problem > is that the exploit happens against the kernel (in GDI, etc.) so there is not > much to do about it in any applications. > > The knowledge-base KB article is the most helpful in terms of mitigation. > > Any application that handles its own TrueType font handling by other than the > Windows call that accomplish font handling and rendering need to look to see > if they have any vulnerability in their parser. This also applies to any > non-Windows support for TrueType fonts that run on the same architectures as > Windows. There's not enough public information to know what to look for. I > expect that there is cross-platform cooperation at the security-team levels on > this one. > > Meanwhile, the only remedy at the moment is to apply the workarounds that > apply to Windows. > > Here is what I can discern from the sketchy information: > > 1. The exploit requires a specially-crafted TrueType Font package. > 2. The vulnerability is exploited when such a font is parsed as part of > rendering of any presentation using the Windows internal support TrueType > fonts. > 3. There is a fix available at the knowledge base article. It *appears* in > my non-expert reading to prevent use of the intrinsic support for embedded > fonts, since this a potentially-appealing avenue of attack via > specially-crafted documents. Fixes to close that door, and to reopen it > later, are available at the KB article. [Added: The embedding case appears to > be one related to HTML font embedding. It is unclear what other embedding > cases apply, if any.] > > I suspect that the workaround has no impact on LO and OO.o operability, > although I guess the thing to do is turn on the workaround and see for sure. > > I'm going to do that as soon as I do some system backups first. > > > > - Dennis E. Hamilton > tools for document interoperability, <http://nfoWorks.org/> > [email protected] gsm: +1-206-779-9430 @orcmid > >
