eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Alert - eEye Security Bulletin
Microsoft Patch Disclosure - JANUARY 12, 2010
Overview
This month Microsoft released one bulletin which repairs one vulnerability.

Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically without the need for any updates.
 
Patch Precedence
The patch released this month is for a single remote code execution vulnerability when handling malformed OpenType Font files embedded within web pages or Microsoft Office documents.  Administrators should patch MS10-001 immediately, especially in Windows 2000 environments where the vulnerability is easier to exploit.

As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin Summary
Critical
MS10-001 - Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
Bulletin Details
MS10-001
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical

Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font in client applications that can render EOT fonts, such as Microsoft Internet Explorer, Microsoft Office PowerPoint, or Microsoft Office Word. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by correcting the way that the Embedded OpenType Font Engine decompresses specially crafted files and content containing embedded fonts.

  • Microtype Express Compressed Fonts Integer Flaw in the LZCOMP Decompressor Vulnerability - CVE-2010-0018
    A remote code execution vulnerability exists in the way that the Microsoft Windows Embedded OpenType (EOT) Font Engine decompresses specially crafted EOT fonts. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Analysis
Attackers are likely to exploit this vulnerability using client side attacks by setting up malicious web servers and distributing trojanized Office documents to targeted individuals. Attackers will focus on targets that are known to be using Windows 2000 machines. This can be done programmatically by detecting browser versions or Microsoft Office versions via web requests and then delivering the exploit to suitable targets. Successful exploitation will result in arbitrary code execution in the context of the current user. Administrators are advised to patch all versions of Windows, however Windows 2000 should be patched initially with all other versions following suit.
Recommendations
Disable support for parsing embedded fonts within Internet Explorer using the Internet Options\Security\Internet\Font Downloading options under the Tools menu item or disable execute permissions to T2EMBED.DLL using CACLS. Any application or website that requires embedded font types may be not function properly after these mitigation tactics, so administrators are advised to test applications prior to performing these actions.
 
The eEye Advantage

Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/Resources/Security-Center/Patch-Tuesday/Audits/January-2010.aspx

Blink® Endpoint Security
eEye's line of Blink with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.

Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Blink Professional, Blink Server and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at http://www.eeye.com/blink/

Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/Company/News-and-Events/Vulnerability-Expert-Forum.aspx.
FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to newsletter@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email newsletter@eeye.com for permission.

 
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2011 eEye Digital Security. All rights reserved.