duststar theory » Blog Archive » First Microsoft vulnerability (MS10-001) in 2010: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)

"Only a life lived for others is a life worth while." - Albert Einstein

First Microsoft vulnerability (MS10-001) in 2010: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)

Autor duststar

Official link to Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are 3 points worth mentioning here:

1. The vulnerability is privately reported.

What if this vulnerability was not reported, and kept for private use? It becomes a 0-day. That means undetectable by signatured-based anti-virus, undetectable by network intrusion detection systems. Host-based intrusion detection systems might works in this case if you configure it to detect any code execution attempt performed by these client applications. In case you are thinking that your host-based firewall will save you; no. they can be bypassed.

2. The vulnerability is delivered to users through “piggybacking” popular applications.

In short, any applications that can render EOT fonts will be affected. Therefore, the possibilities to get infected increased drastically. It is imperative to patch your system immediately.

3. Lockdown accounts on system does reduce the impact caused by the exploitation of the vulnerability.

In my previous post, I mentioned the importance of using lockdown accounts and it is applicable to this issue now.

.duststar