incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: FW: [libreoffice-users] MS font exploit
Date Sat, 05 Nov 2011 21:07:36 GMT
On Sat, Nov 5, 2011 at 2:41 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> There is an out-of-cycle Microsoft Security Advisory concerning serious
> exploits that can be carried out against a vulnerability in the handling of
> TrueType Fonts at the operating-system level.
>

Bug in MS Windows.  Not in OOo.  Linux users can continue to sleep soundly.

-Rob


> One avenue of attack consists of documents that have embedded TrueType fonts
> that have been crafted to accomplish the exploit.  The particular embedding
> technique (Embedded OpenType (EOT)) is used in HTML pages.  It seems necessary
> to presume that other use of TrueType fonts injected from unknown sources
> provide avenues.
>
> The knowledge base (KB) article that provides one mitigation is at
> <http://support.microsoft.com/kb/2639658>.
>
> The advisory and further information on EOT are found by following links on
> that page.
>
> Following is an amended note that I published on [libreoffice-users], on the
> same subject, where this exploit was already being discussed.  (I had not dug
> into EOT at the time that I wrote the following.)
>
> -----Original Message-----
> From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
> Sent: Saturday, November 05, 2011 11:19
> To: 'users@global.libreoffice.org'
> Subject: RE: [libreoffice-users] MS font exploit
>
>
> There are two microsoft.com pages that relate to this situation.  The problem
> is that the exploit happens against the kernel (in GDI, etc.) so there is not
> much to do about it in any applications.
>
> The knowledge-base KB article is the most helpful in terms of mitigation.
>
> Any application that handles its own TrueType font handling by other than the
> Windows call that accomplish font handling and rendering need to look to see
> if they have any vulnerability in their parser.  This also applies to any
> non-Windows support for TrueType fonts that run on the same architectures as
> Windows.  There's not enough public information to know what to look for. I
> expect that there is cross-platform cooperation at the security-team levels on
> this one.
>
> Meanwhile, the only remedy at the moment is to apply the workarounds that
> apply to Windows.
>
> Here is what I can discern from the sketchy information:
>
>  1. The exploit requires a specially-crafted TrueType Font package.
>  2. The vulnerability is exploited when such a font is parsed as part of
> rendering of any presentation using the Windows internal support TrueType
> fonts.
>  3. There is a fix available at the knowledge base article.  It *appears* in
> my non-expert reading to prevent use of the intrinsic support for embedded
> fonts, since this a potentially-appealing avenue of attack via
> specially-crafted documents.  Fixes to close that door, and to reopen it
> later, are available at the KB article. [Added: The embedding case appears to
> be one related to HTML font embedding.  It is unclear what other embedding
> cases apply, if any.]
>
> I suspect that the workaround has no impact on LO and OO.o operability,
> although I guess the thing to do is turn on the workaround and see for sure.
>
> I'm going to do that as soon as I do some system backups first.
>
>
>
>  - Dennis E. Hamilton
>   tools for document interoperability,  <http://nfoWorks.org/>
>   dennis.hamilton@acm.org  gsm: +1-206-779-9430  @orcmid
>
>

Mime
View raw message