On Sat, Nov 5, 2011 at 2:41 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> There is an out-of-cycle Microsoft Security Advisory concerning serious
> exploits that can be carried out against a vulnerability in the handling of
> TrueType Fonts at the operating-system level.
>
Bug in MS Windows. Not in OOo. Linux users can continue to sleep soundly.
-Rob
> One avenue of attack consists of documents that have embedded TrueType fonts
> that have been crafted to accomplish the exploit. The particular embedding
> technique (Embedded OpenType (EOT)) is used in HTML pages. It seems necessary
> to presume that other use of TrueType fonts injected from unknown sources
> provide avenues.
>
> The knowledge base (KB) article that provides one mitigation is at
> <http://support.microsoft.com/kb/2639658>.
>
> The advisory and further information on EOT are found by following links on
> that page.
>
> Following is an amended note that I published on [libreoffice-users], on the
> same subject, where this exploit was already being discussed. (I had not dug
> into EOT at the time that I wrote the following.)
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> Sent: Saturday, November 05, 2011 11:19
> To: 'users@global.libreoffice.org'
> Subject: RE: [libreoffice-users] MS font exploit
>
>
> There are two microsoft.com pages that relate to this situation. The problem
> is that the exploit happens against the kernel (in GDI, etc.) so there is not
> much to do about it in any applications.
>
> The knowledge-base KB article is the most helpful in terms of mitigation.
>
> Any application that handles its own TrueType font handling by other than the
> Windows call that accomplish font handling and rendering need to look to see
> if they have any vulnerability in their parser. This also applies to any
> non-Windows support for TrueType fonts that run on the same architectures as
> Windows. There's not enough public information to know what to look for. I
> expect that there is cross-platform cooperation at the security-team levels on
> this one.
>
> Meanwhile, the only remedy at the moment is to apply the workarounds that
> apply to Windows.
>
> Here is what I can discern from the sketchy information:
>
> 1. The exploit requires a specially-crafted TrueType Font package.
> 2. The vulnerability is exploited when such a font is parsed as part of
> rendering of any presentation using the Windows internal support TrueType
> fonts.
> 3. There is a fix available at the knowledge base article. It *appears* in
> my non-expert reading to prevent use of the intrinsic support for embedded
> fonts, since this a potentially-appealing avenue of attack via
> specially-crafted documents. Fixes to close that door, and to reopen it
> later, are available at the KB article. [Added: The embedding case appears to
> be one related to HTML font embedding. It is unclear what other embedding
> cases apply, if any.]
>
> I suspect that the workaround has no impact on LO and OO.o operability,
> although I guess the thing to do is turn on the workaround and see for sure.
>
> I'm going to do that as soon as I do some system backups first.
>
>
>
> - Dennis E. Hamilton
> tools for document interoperability, <http://nfoWorks.org/>
> dennis.hamilton@acm.org gsm: +1-206-779-9430 @orcmid
>
>
|