Vulnerability

CERT-In Vulnerability Note CIVN-2010-0254
Multiple Vulnerabilities in Microsoft Windows OpenType Font Driver

Original Issue Date:December 15, 2010

Severity Rating: HIGH

Systems Affected

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (including Server-Core installation)
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (including Server-Core installation)
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit systems
Windows 7 for x-64-based systems
Windows Server 2008 R2 for x64-based Systems (including Server-Core installation)
Windows Server 2008 R2 for Itanium-based systems

Overview

Multiple vulnerabilities have been reported in Microsoft Windows OpenType Font Driver; successful exploitation of these vulnerabilities could allow remote code execution on vulnerable system and provide complete control to the attacker.

Description

OpenType is a font format developed jointly by Microsoft and Adobe as an extension of Apple's TrueType font format. An OpenType font file contains data, in table format, that comprises either a TrueType or a PostScript outline font. Rasterizers use combinations of data from the tables contained in the font to render the TrueType or PostScript glyph outlines.

A double free condition is a condition in which a program is caused to release or free allocated memory more than once. Releasing memory that has already been freed could lead to memory corruption. An attacker could add arbitrary code to memory that is then executed when the corruption occurs. This code could then be executed at a system level of privilege. Typically, this vulnerability causes a denial of service to occur. However, in some circumstances, it could cause code execution to occur. Because of the unique layout of the memory on each affected system, exploiting this vulnerability on a mass scale could be difficult.

Embedded OpenType (EOT) fonts are a compact form of fonts designed for use on Web pages. These fonts can be embedded in a document. This ensures that a user views the document exactly as the author intended. The Web Embedding Fonts Tool (WEFT) lets Web authors create font objects that are linked to their Web pages so that when viewed through the browser, pages display in the style contained in the font object. For more information, see the MSDN article, About Font Embedding. All operating systems listed in the Affected Software table support the rendering of EOT fonts by default.

1) OpenType Font Index Vulnerability ( CVE-2010-3956 )

This is a remote code execution vulnerability which is caused when the OpenType Font (OTF) driver does not properly index an array when parsing OpenType fonts.

When a user preview a malicious document in the Windows Explorer Details or Preview pane, the document could trigger an error that could allow the attacker to execute arbitrary code.

An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of the affected system.

2) OpenType Font Double Free Vulnerability ( CVE-2010-3957 )

This is a remote code execution vulnerability which is caused due to improper memory operations when processing OpenType fonts. The Windows OpenType driver may free memory during the processing of fonts and later attempt to free the memory again, causing a double free memory error that may corrupt memory.

When a use preview a malicious document in Windows Explorer Details or Preview pane, the document could trigger memory corruption that the attacker could use to execute arbitrary code with the elevated privileges of the Windows kernel.

An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of the affected system.

3) OpenType CMAP Table Vulnerability ( CVE-2010-3959 )

This is a remote code execution vulnerability which is caused when the OpenType Font (OTF) driver does not properly parse the character mapping (CMAP) table when rendering a specially crafted OpenType font.

An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of the affected system.

Workaround

Disable the Preview Pane and Details Pane in Windows Explorer

Note: For detailed steps of these workarounds and its impact; refer to Microsoft Security Bulletin MS10-091

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS10-091

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms10-091.mspx

References

Secunia
http://secunia.com/advisories/42604/

Security Tracker
http://securitytracker.com/alerts/2010/Dec/1024873.html

VUPEN
http://www.vupen.com/english/advisories/2010/3215

SecurityFocus
http://www.securityfocus.com/bid/45311
http://www.securityfocus.com/bid/45315
http://www.securityfocus.com/bid/45316

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=21981
http://tools.cisco.com/security/center/viewAlert.x?alertId=21982
http://tools.cisco.com/security/center/viewAlert.x?alertId=21983

CVE Name
CVE-2010-3957
CVE-2010-3959
CVE-2010-3956

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India