CERT-In Vulnerability Note
CIVN-2010-0229
Microsoft Windows Open Type Font (OTF) Format Driver Elevation of Privilege Vulnerabilities
Original Issue Date:October 15, 2010
Severity Rating: MEDIUM
Systems Affected
- Microsoft Windows XP Service Pack 3
- Microsoft Windows XP Professional x64 Edition Service Pack 2
- Microsoft Windows Server 2003 Service Pack 2
- Microsoft Windows Server 2003 x64 Edition Service Pack 2
- Microsoft Windows Server 2003 SP2 (Itanium)
Overview
Multiple vulnerabilities has been reported in Microsoft Windows Open Type Font (OTF) Format Driver which could be exploited by the attacker to compromise the affected system in the context of logged in user.
Description
An OpenType font file contains data, in table format, that comprises either a TrueType or a PostScript outline font. Rasterizers use combinations of data from the tables contained in the font to render the TrueType or PostScript glyph outlines
1. OpenType Font Parsing Vulnerability
(
CVE-2010-2740
)
A vulnerability has been reported in Microsoft Windows Open Type Font (OTF) Format Driver when handling Open type fonts . The specific flaw exists in a routine which is meant to extract unicode strings from the .otf name table. A WORD value is read from the .otf user input and used as the length for a string in the name table. An attacker exploit this vulnerability by loading a properly formatted font and then reload it with specially crafted offset and length fields for the head table of the font
2. OpenType Font Validation Vulnerability
(
CVE-2010-2741
)
A vulnerability has been reported in Microsoft Windows Open Type Font (OTF) Format Driver does not properly perform an integer calculation when processing OTF files. The specific flaw exists in the font cache. A well-formed font is loaded, and thus stored in the cache. Afterwards, the same font is reloaded, but with invalid offset and length fields for the head table of the font. The offset field is located at offset 0x64 in the file, and the length field is located at offset 0x68.An attacker exploit this vulnerability by creating a specially crafted OTF files when loaded can corrupts the memory. Successful exploitation of these vulnerabilities could allow attacker to execute arbitrary code in the kernel mode result in elevation of privilege and compromise the vulnerable system in the context of logged in user. NOTE : Third-party Web browsers are affected by this vulnerability if they natively render OpenType Fonts (OTF). For these applications, this vulnerability may allow remote code execution in the context of the logged on user if used to view a Web site with an embedded, specially crafted font.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS10-078
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-078.mspx
References
Core Security
http://www.coresecurity.com/content/ms-opentype-cff-parsing-vulnerability
Siberas
http://www.siberas.de/advisories/advisories_2010.html
Microsoft
http://www.microsoft.com/technet/security/bulletin/MS10-078.mspx
AUS- CERT
http://www.auscert.org.au/render.html?it=13459
Secunia
http://secunia.com/advisories/41778/
Security Tracker
http://securitytracker.com/alerts/2010/Oct/1024554.html
Vupen
http://www.vupen.com/english/advisories/2010/0341
CVE Name
CVE-2010-2740
CVE-2010-2741
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|