MS09-065 addresses a vulnerability (CVE-2009-2514) in the font parsing subsystem of win32k.sys. If not addressed, this vulnerability could allow an attacker to bluescreen (DoS) the machine (best case scenario) or run code of his/her choice, possibly in the context of the kernel (worst case scenario).
In this blog entry, I'll attempt to answer a few questions regarding the vulnerability addressed in this month’s win32k.sys security update:
What is the issue?
An integer-wrapping vulnerability exists in the font parsing subsystem within win32k.sys, which is responsible for constructing a table of directory entries. The integer wrap can occur when adding a directory entry’s’ offset and size members, which could lead to improper memory access in subsequent code. This improper memory access would commonly be observed in the form of a Read Access Violation.
The severity rating of critical was chosen since the vulnerable code is exposed through Internet Explorer and can be exercised without user interaction/notification. It has also been given an Exploitability Index rating of 1.
What platforms are affected?
Users of Windows 2000, Windows XP, and Windows Server 2003 are affected by this vulnerability. Windows Vista, Windows 7, Windows Server 2008, and Windows 2008 R2 users are not affected.
What are the attack vectors?
Remote attack vectors (worst case scenario is Remote code Execution):
- Malicious fonts (TTF’s) delivered within .eot files hosted on malicious web sites which are rendered in all versions of Internet Explorer by default.
- Malicious office documents e-mailed to victims with social engineering to entice the victim to open the document which contains a malformed embedded font which would then be rendered upon opening the Office document (PowerPoint and Word documents are the most likely attack vectors).
Local attack vectors (worst case scenario is Local Elevation of Privilege):
- Malicious fonts (TTF’s) delivered to win32k.sys by an authenticated user in a multi-user environment (Terminal Services (TS)) scenario. Such scenarios might abuse AddFontResource() to achieve this.
How do I protect myself?
The best option for protecting against this vulnerability is to apply the update for MS09-065.
If you are unable to apply the update, another option is to disable support for parsing/loading embedded fonts in IE. The side effect of this approach is that it will cause web sites which make use of embedded font technology to fail to render properly. The steps involved in disabling support for parsing embedded fonts in IE are as follows:
· Launch Internet Explorer
· On the ‘Tools’ Menu select ‘Internet Options’.
· Click the ‘Security’ Tab.
· To change the setting for the ‘Internet’ zone select ‘Internet’ and press the ‘Custom Level’ button.
· Scroll down to the ‘Downloads’ section and select ‘Prompt’ or ‘Disable’ for the ‘Font Download’ security setting.
· Press OK to close the ‘Security Settings’ dialog box.
· Press OK to close the ‘Internet Options’ dialog box.
NOTE: The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit or an entire domain. It is assumed that the reader will know how to deploy the steps below for their particular environment.
· Open the group policy management and configure it to work with the appropriate group policy object (i.e. local machine, OU or domain GPO).
· Navigate to the following node:
o User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Security.
· Double click ‘Security Zones and Content Rating’.
· On the ‘Security Zones and Content Rating’ dialog box select ‘Import the current security zones and privacy settings’ and then click the ‘Modify settings’ button.
· NOTE: This will create a group policy for Internet Explorer based on the settings of the currently logged in user.
· On the ‘Internet Properties’ dialog box ensure the ‘Internet’ zone is selected and then press ‘custom level’.
· Scroll down to ‘Downloads’ and set ‘Font Download’ to ‘Prompt’ or ‘Disable’.
· Press OK to return to the ‘Internet Properties’ dialog box.
· On the “Internet Properties’ dialog box select the ‘Local Intranet’ zone and then press ‘custom level’.
· Press OK to return to the ‘Security Zones and Content Ratings’ dialog box.
· Press OK to return to the group policy management console.
· Refresh the group policy on all machines or wait for the next scheduled group policy refresh interval for the settings to take effect.
Managed Deployment Script
This security setting can be manually entered into the registry by creating a registry script and importing it either by double clicking it or running regedit.exe as part of a logon or machine startup script. For managed deployments Regedit.exe can be used to import a registry script silently with the ‘-s’ switch. For more information on regedit command line switches refer to: http://support.microsoft.com/kb/q82821/
To set this setting to ‘Prompt’ for the Internet and Local Intranet Zones paste the following text into a .REG file and then import the .REG file on managed machines as part of your organizations managed deployment process:
Windows Registry Editor Version 5.00
; Zone 1 is the local intranet zone
; 1604 is the Font download policy
; dword:00000001 sets the policy to prompt
; Zone 3 is the internet zone
To set this setting to ‘Disable’ for the Internet and Local Intranet Zones paste the following text into a .REG file and then import the .REG file on managed machines as part of your organizations managed deployment process:
; dword:00000003 sets the policy to disable
Big thanks to Robert Hensing from the MSRC Engineering Team for his work on defensive workarounds for this issue as well as to Andrew Roths from the MSRC Engineering Team.
-Brian Cavenah, MSRC Engineering