incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject FW: [libreoffice-users] MS font exploit
Date Sat, 05 Nov 2011 18:41:34 GMT
There is an out-of-cycle Microsoft Security Advisory concerning serious 
exploits that can be carried out against a vulnerability in the handling of 
TrueType Fonts at the operating-system level.

One avenue of attack consists of documents that have embedded TrueType fonts 
that have been crafted to accomplish the exploit.  The particular embedding 
technique (Embedded OpenType (EOT)) is used in HTML pages.  It seems necessary 
to presume that other use of TrueType fonts injected from unknown sources 
provide avenues.

The knowledge base (KB) article that provides one mitigation is at

The advisory and further information on EOT are found by following links on 
that page.

Following is an amended note that I published on [libreoffice-users], on the 
same subject, where this exploit was already being discussed.  (I had not dug 
into EOT at the time that I wrote the following.)

-----Original Message-----
From: Dennis E. Hamilton []
Sent: Saturday, November 05, 2011 11:19
To: ''
Subject: RE: [libreoffice-users] MS font exploit

There are two pages that relate to this situation.  The problem
is that the exploit happens against the kernel (in GDI, etc.) so there is not
much to do about it in any applications.

The knowledge-base KB article is the most helpful in terms of mitigation.

Any application that handles its own TrueType font handling by other than the
Windows call that accomplish font handling and rendering need to look to see
if they have any vulnerability in their parser.  This also applies to any
non-Windows support for TrueType fonts that run on the same architectures as
Windows.  There's not enough public information to know what to look for. I
expect that there is cross-platform cooperation at the security-team levels on
this one.

Meanwhile, the only remedy at the moment is to apply the workarounds that
apply to Windows.

Here is what I can discern from the sketchy information:

 1. The exploit requires a specially-crafted TrueType Font package.
 2. The vulnerability is exploited when such a font is parsed as part of
rendering of any presentation using the Windows internal support TrueType
 3. There is a fix available at the knowledge base article.  It *appears* in
my non-expert reading to prevent use of the intrinsic support for embedded
fonts, since this a potentially-appealing avenue of attack via
specially-crafted documents.  Fixes to close that door, and to reopen it
later, are available at the KB article. [Added: The embedding case appears to 
be one related to HTML font embedding.  It is unclear what other embedding 
cases apply, if any.]

I suspect that the workaround has no impact on LO and OO.o operability,
although I guess the thing to do is turn on the workaround and see for sure.

I'm going to do that as soon as I do some system backups first.

 - Dennis E. Hamilton
   tools for document interoperability,  <>  gsm: +1-206-779-9430  @orcmid

View raw message