MS font exploit

Tom_Davies · November 4, 2011, 10:54pm

Hi

Bad news from MS again.
http://technet.microsoft.com/en-us/security/advisory/2639658
http://support.microsoft.com/kb/2639658

http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
I'm not sure what they mean by "Unfortunately, no robust workarounds exist at this time other than following best practices, such as avoiding documents from unknown parties and utilizing alternative software.". Alternative to what? Is it just MS Office or would this affect LO too (since it goes through fonts?)?

The common sense methods for avoiding it have limited use as we have to sometimes read documents from sources we are not completely confident about. It's ok for a few days.
Regards from
Tom

jbfaure · November 5, 2011, 6:04am

Do not use softwares allowing the use of embedded fonts in documents ...
LibreOffice and ODF do not allow embedded fonts in documents.

In French :
http://www.certa.ssi.gouv.fr/site/CERTA-2011-ALE-006/CERTA-2011-ALE-006.html

Automated translation in English by Google:
http://translate.google.fr/translate?sl=fr&tl=en&js=n&prev=_t&hl=fr&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.certa.ssi.gouv.fr%2Fsite%2FCERTA-2011-ALE-006%2FCERTA-2011-ALE-006.html

Best regards.
JBF

Bob_Williams · November 5, 2011, 5:25pm

APPLIES TO

     Windows 7 Service Pack 1, when used with:
         Windows 7 Enterprise
         Windows 7 Professional
         Windows 7 Ultimate
         Windows 7 Home Premium
         Windows 7 Home Basic
     Windows 7 Enterprise
     Windows 7 Professional
     Windows 7 Ultimate
     Windows 7 Home Premium
     Windows 7 Home Basic
     Windows Server 2008 R2 Service Pack 1, when used with:
         Windows Server 2008 R2 Standard
         Windows Server 2008 R2 Enterprise
         Windows Server 2008 R2 Datacenter
     Windows Server 2008 R2 Standard
     Windows Server 2008 R2 Enterprise
     Windows Server 2008 R2 Datacenter
     Windows Server 2008 Service Pack 2, when used with:
         Windows Server 2008 for Itanium-Based Systems
         Windows Server 2008 Datacenter
         Windows Server 2008 Enterprise
         Windows Server 2008 Standard
         Windows Web Server 2008
     Windows Vista Service Pack 2, when used with:
         Windows Vista Business
         Windows Vista Enterprise
         Windows Vista Home Basic
         Windows Vista Home Premium
         Windows Vista Starter
         Windows Vista Ultimate
         Windows Vista Enterprise 64-bit Edition
         Windows Vista Home Basic 64-bit Edition
         Windows Vista Home Premium 64-bit Edition
         Windows Vista Ultimate 64-bit Edition
         Windows Vista Business 64-bit Edition
     Microsoft Windows Server 2003 Service Pack 2, when used with:
         Microsoft Windows Server 2003, Standard Edition (32-bit x86)
         Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
         Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
         Microsoft Windows Server 2003, Web Edition
         Microsoft Windows Server 2003, Datacenter x64 Edition
         Microsoft Windows Server 2003, Enterprise x64 Edition
         Microsoft Windows Server 2003, Standard x64 Edition
         Microsoft Windows XP Professional x64 Edition
         Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
         Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
     Microsoft Windows XP Service Pack 3, when used with:
         Microsoft Windows XP Home Edition
         Microsoft Windows XP Professional

Whew! Yet another reason to run linux.

Dennis_E_Hamilton · November 5, 2011, 6:19pm

There are two microsoft.com pages that relate to this situation. The problem
is that the exploit happens against the kernel (in GDI, etc.) so there is not
much to do about it in any applications.

The knowledge-base KB article is the most helpful in terms of mitigation.

Any application that handles its own TrueType font handling by other than the
Windows call that accomplish font handling and rendering need to look to see
if they have any vulnerability in their parser. This also applies to any
non-Windows support for TrueType fonts that run on the same architectures as
Windows. There's not enough public information to know what to look for. I
expect that there is cross-platform cooperation at the security-team levels on
this one.

Meanwhile, the only remedy at the moment is to apply the workarounds that
apply to Windows.

Here is what I can discern from the sketchy information:

1. The exploit requires a specially-crafted TrueType Font package.
2. The vulnerability is exploited when such a font is parsed as part of
rendering of any presentation using the Windows internal support TrueType
fonts.
3. There is a fix available at the knowledge base article. It *appears* in
my non-expert reading to prevent use of the intrinsic support for embedded
fonts, since this a potentially-appealing avenue of attack via
specially-crafted documents. Fixes to close that door, and to reopen it
later, are available at the KB article.

I suspect that the workaround has no impact on LO and OO.o operability,
although I guess the thing to do is turn on the workaround and see for sure.

I'm going to do that as soon as I do some system backups first.

- Dennis E. Hamilton
tools for document interoperability, <http://nfoWorks.org/>
dennis.hamilton@acm.org gsm: +1-206-779-9430 @orcmid

Tom_Davies · November 5, 2011, 6:21pm

Hi
That seems to list all the supported versions/distros of Windows but doesn't
included unsupported ones such as Win98. Does that mean Win98 is safe or
just that they don't bother to look to see if it's vulnerable?

Tbh my interest suddenly dropped away when i found that LO is safe even if
we read a doc file in it and creating doc files is still safe too in LO.
I'm a little worried about the works machines especially after the work i
have put in these last 2 weeks but if they suffer because of using MS Office
then it might encourage them to move to LO and that would be fine by me.
The problem would be if the machines got infected right after me working on
updating everything and installing weird stuff such as LO.

If LO prevents the machine itself getting infected that is one good thing
but if it inadvertently passes infections on then the wrong people, ie LO
users, might start getting the blame for something that is not their/our
fault. Of course they/we would also be passing it on if we were using MS
Office but at least we would have had more warning about it as our machines
got infected. Hmmm, this whole lack of security in MS products really
creates a lot of weird blame issues.

Regards from
Tom

Dotan_Cohen · November 5, 2011, 9:30pm

Windows 98 is vulnerable.

Windows 98 is not supported by MS any longer, and there are literally
thousands of unpatched known exploits for that OS. Windows 98 should
only be used in non-networked single-purpose applications now, and
furthermore an exit plan should be devised for all systems still
running 98.

If you are still using Windows 98 then this new vulnerability is the
least of your security concerns.

Tom_Davies · November 5, 2011, 9:42pm

Hi
I don't have any Win98 machines to worry about luckily but i know a couple of people that keep installing it for their clients.

I tend to find lighter-weight Gnu&Linux distros are more up-to-date with drivers and stuff. Wine makes it possible to run most apps designed for Windows although it can take a bit of work sometimes. Luckily i am mostly able to avoid such old machines.

The info is good to know tho so thanks for that
Regards from
Tom

Dennis_E_Hamilton · November 6, 2011, 11:46pm

Take heart: I just received an update and install notice for two patches concerning TrueType fonts on my Windows XP SP3 Tablet PC. I don't know whether there are more coming. I don't see anything for Vista or Windows 7 yet. Stay tuned.

If you are running Windows XP, it might be a good time to check for updates.

- Dennis

Tom,

The security issue is not about a virus or the ways a virus is spread.

It is certainly about the prospect of a machine being compromised and used as part of a zombie army or whatever. The compromise could also be used to compromise security on the machine that is successfully attacked.

I wouldn't say that LO is safe. Any application that allows selection of TTF fonts and that uses Windows to render fonts on the display and for printing might be vulnerable -- all of the attack routes have not been disclosed. But as someone else commented, the vulnerability is in Windows. Also, the malicious fonts need to be installed or accessed somehow. The embedded case that had a workaround is presumably but one of the attack entries.

- Dennis

Tom_Davies · November 6, 2011, 11:55pm

Hi
Thanks Dennis. I know i am pretty safe at home. A targeted attack could probably compromise me fairly easily but i am pretty safe from drive-by and casual attacks. Reinstalling an OS is no big deal either.

The main place i worry about uses mostly Xp machines and tomorrow is a good day for me to get access to all but 2 of the machines.
Regards from
Tom

Dennis_E_Hamilton · November 7, 2011, 12:32am

Not so fast there Sparky (to Dennis).

Those two updates are apparently for 2010 patches to the EOT code. I get repeated requests to install them, over and over again. I don't know if it was my running the Fixit workaround or not, but I have blocked the two updates from installing any longer.

- Dennis