Beyondtrust

BeyondTrust Patch Tuesday

January 12, 2010

Microsoft Patch Disclosure

This month Microsoft released one bulletin which repairs one vulnerability. Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically without the need for any updates.

The patch released this month is for a single remote code execution vulnerability when handling malformed OpenType Font files embedded within web pages or Microsoft Office documents. Administrators should patch MS10-001 immediately, especially in Windows 2000 environments where the vulnerability is easier to exploit. As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: The eEye Research Team
  • Date/Time: Jan 12, 2010

BULLETIN / ADVISORY DETAILS

MS10-001

Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)


Microsoft Rating:

Critical

CVE:

CVE-2010-0018

 

Analysis:

Attackers are likely to exploit this vulnerability using client side attacks by setting up malicious web servers and distributing trojanized Office documents to targeted individuals. Attackers will focus on targets that are known to be using Windows 2000 machines. This can be done programmatically by detecting browser versions or Microsoft Office versions via web requests and then delivering the exploit to suitable targets. Successful exploitation will result in arbitrary code execution in the context of the current user. Administrators are advised to patch all versions of Windows, however Windows 2000 should be patched initially with all other versions following suit.

 

Recommendation:

Disable support for parsing embedded fonts within Internet Explorer using the Internet Options\Security\Internet\Font Downloading options under the Tools menu item or disable execute permissions to T2EMBED.DLL using CACLS. Any application or website that requires embedded font types may be not function properly after these mitigation tactics, so administrators are advised to test applications prior to performing these actions.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.