Thread-topic: [VulnWatch] [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability
ôÅÈÎÉÞÅÓËÉÅ ÐÏÄÒÏÂÎÏÓÔÉ
>
> EEYEB-20050801 Windows Embedded Open Type (EOT) Font Heap Overflow
> Vulnerability
>
> Release Date:
> January 10, 2006
>
> Date Reported:
> July 31, 2005
>
> Time to Patch:
> 163 Days
>
> Severity:
> High (Code Execution)
>
> Systems Affected:
> Windows ME
> Windows 98
> Windows NT
> Windows 2000
> Windows XP SP1 / SP2
> Windows Server 2003 SP0 / SP1
>
> Overview:
> eEye Digital Security has discovered a vulnerability in the
> way Windows
> uncompresses Embedded Open Type fonts that would allow the author of a
> malicious web page to execute arbitrary code on the system of
> a user who
> visits the site, at the privilege level of that user.
>
> Embedded Open Type fonts are referenced through the use of style data,
> as the following snippet illustrates:
>
> @font-face {
> font-family: Abysmal;
> font-style: normal;
> font-weight: normal;
> src: url(evil.eot);
>
> Although these fonts typically have .eot file extensions, it should be
> noted that any extension may be used in order to exploit this
> vulnerability.
>
> Technical Details:
> A heap overflow vulnerability exists in T2EMBED.DLL, which Internet
> Explorer invokes to process EOT fonts. The data within an EOT file is
> compressed in Agfa MicroType Express format, which hosts an
> LZ-compressed stream that includes a 24-bit allocation size.
> This size
> + 1C00h is allocated within the function MTX_LZCOMP_UnPackMemory, but
> the resulting allocation size is not validated before data is copied
> into the block, allowing a malformed EOT file to cause an essentially
> arbitrary-length heap buffer overflow with binary data.
>
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink End-Point Protection proactively protects against this
> vulnerability.
>
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
>
>
> References:
> EEYE ID# EEYEB-20050801
> OSVDB ID# 18829
> CVE # CVE-2006-0010
>
> Credit:
> Fang Xing
>
> Greetings:
> eEye Research and especially Derek for all his help
>
> Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
> granted for the redistribution of this alert electronically.
> It is not
> to be edited in any way without express consent of eEye. If
> you wish to
> reprint the whole or any part of this alert in any other medium
> excluding electronic medium, please email alert@xxxxxxxx for
> permission.
>
> Disclaimer:
> The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are no warranties, implied or express, with regard to this
> information. In no event shall the author be liable for any direct or
> indirect damages whatsoever arising out of or in connection
> with the use
> or spread of this information. Any use of this information is at the
> user's own risk.
>
