CERT-In Vulnerability Note
CIVN-2010-0201
Microsoft Windows and Office Uniscribe Font Parsing Arbitrary Code Execution Vulnerability
Original Issue Date:September 16, 2010
Severity Rating: HIGH
Systems Affected
- Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista Service Pack 1 and Windows Vista Service
Pack 2 - Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Note: Server Core installations on Windows Server 2008 or Windows Server 2008 R2 are also affected.
Component Affected
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office 2007 Service Pack 2
Overview
A remote code execution vulnerability has been reported in Microsoft Windows and Microsoft Office which could allow an attacker to run arbitrary code with the privileges of currently logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
Description
Unicode Script Processor (USP10.DLL), also known as Uniscribe, is a collection of APIs that enables a text layout client to format complex scripts such as Arabic, Indian, and Thai etc. The vulnerability is due to incorrect parsing of specific font types by Microsoft Windows and Microsoft Office. An attacker could exploit this vulnerability by providing a specially crafted document associated with an application that supports embedded OpenType fonts, such as Microsoft Office, to a user.
In addition, Web browsers may also parse these fonts from a specially crafted Web page. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability and then convince a user to view the Web site.
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system.
Workaround
- Modify the Access Control List (ACL) on usp10.dll
- Disable support for parsing embedded fonts in Internet Explorer
For detailed steps and impact of applying these workarounds refer to Microsoft security bulletin MS10-063
Solution
Apply appropriate updates as mentioned in Microsoft Security Bulletin
MS10-063
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms10-063.mspx
References
ISC SANS
http://isc.sans.edu/diary.html?storyid=9547
CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=21317
VUPEN
http://www.vupen.com/english/advisories/2010/2384
Securityfocus
http://www.securityfocus.com/bid/43068
Secunia
http://secunia.com/advisories/41396/
SecurityTracker
http://securitytracker.com/alerts/2010/Sep/1024438.html
CVE Name
CVE-2010-2738
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|