CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2011-026

DATE(S) ISSUED:
04/13/2011

SUBJECT:
Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (MS11-032

OVERVIEW:

A vulnerability has been discovered in the Microsoft Windows OpenType CompactFont Format driver that could allow for remote code execution. OpenType Fonts are fonts that get embedded in documents such as Microsoft Word, Power Point, or Web pages. These vulnerabilities can be exploited if a user visits a specially crafted webpage or opens a specially crafted file, including e-mail attachments.

Successful exploitation may result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts.


SYSTEMS AFFECTED:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7


RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High


DESCRIPTION:
A vulnerability has been discovered in the Microsoft Windows OpenType Compact Font Format (CFF) driver. The vulnerability is caused due to the Windows OpenType Compact Font Format (CFF) driver not properly validating the parameter values of specially crafted OpenType fonts.


On Windows Vista, Windows Server 2008, and Windows 7, an attacker could leverage this vulnerability by persuading a user to visit a specially crafted web site with an embedded, specially crafted OpenType font. On Windows XP and Windows Server2003, an attacker would first need to login to the affected system. Once logged in, they would need to run a specially crafted application to exploit this vulnerability.


It should be noted that, by default, Internet Explorer is not affected by this vulnerability. However, other third-party web browsers that natively render Microsoft Windows OpenType fonts are vulnerable.


Successful exploitation may result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts.


RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the appropriate patches provided by Microsoft immediately after appropriate testing.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Remind users not to open email attachments from unknown or untrusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS11-032.mspx


Security Focus:
http://www.securityfocus.com/bid/47179


CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0034