Today, we released MS11-087 addressing an issue in the font parsing subsystem of win32k.sys, CVE-2011-3402. The bulletin received a Critical rating due to a potential browser-based attack vector. We have not seen the browser-based attack vector exploited in the wild. The bulletin includes a workaround to disable this remote code execution attack surface. You might consider applying the workaround even after applying security update MS11-087, simply to reduce your attack surface. This blog explains how in more detail.

Issue Summary

This vulnerability has been used to drop the Duqu malware. An insufficient bounds check within the font parsing subsystem of win32k.sys could potentially allow a malformed font to corrupt ring0 memory. In the case of the Duqu dropper, a malformed font embedded inside an Office Word document triggered this memory corruption vulnerability to jump to attacker shellcode.

To be clear, Duqu did not exploit the browser-based attack vector. As far as we know, this vulnerability has only been exploited via a custom font embedded within an Office document. However, attackers could potentially construct a malicious font in such a way that it could be embedded in a webpage. There is an easy workaround to block that particular attack surface.

Protecting your environment

The best option for protecting against this particular vulnerability is to apply the MS11-087 security update. It will comprehensively address this issue.

If you are unable to apply the update right away and/or are concerned primarily about the browser-based attack surface, you might consider simply disabling IE’s ability to download custom fonts entirely. The side effect of this approach is potential display and layout glitches on web pages that leverage custom fonts to display text in interesting new ways. However, the vast majority of web sites use fonts included with Windows or use text layout tricks that do not require this particular custom font technology. Opening a web page that embeds a custom font after you have applied the workaround will cause Internet Explorer to display the text using a built-in font. Below, you can see the user experience of browsing to a webpage that leverages a custom font:

Figure 1: Webpage using custom, downloaded font

Figure 2: Same webpage displayed after workaround is applied

Workaround Steps

You can disable custom font download in Internet Explorer either interactively (using the GUI) or via Group Policy or a Management Deployment Script across multiple machines.

- Interactive deployment

  • Launch Internet Explorer
  • On the ‘Tools’ Menu select ‘Internet Options’.
  • Click the ‘Security’ Tab.
  • To change the setting for the ‘Internet’ zone select ‘Internet’ and press the ‘Custom Level’ button.
  • Scroll down to the ‘Downloads’ section and select ‘Prompt’ or ‘Disable’ for the ‘Font Download’ security setting.
  • Press OK to close the ‘Security Settings’ dialog box.
  • Press OK to close the ‘Internet Options’ dialog box.

- Group Policy deployment

NOTE: The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit or an entire domain. It is assumed that the reader will know how to deploy the steps below for their particular environment.

  • · Open the group policy management and configure it to work with the appropriate group policy object (i.e. local machine, OU or domain GPO).
  • · Navigate to the following node:
    • o User Configuration -> Windows Settings -> Internet Explorer Maintenance -> Security.
  • · Double click ‘Security Zones and Content Rating’.
  • · On the ‘Security Zones and Content Rating’ dialog box select ‘Import the current security zones and privacy settings’ and then click the ‘Modify settings’ button.
  • · NOTE: This will create a group policy for Internet Explorer based on the settings of the currently logged in user.
  • · On the ‘Internet Properties’ dialog box ensure the ‘Internet’ zone is selected and then press ‘custom level’.
  • · Scroll down to ‘Downloads’ and set ‘Font Download’ to ‘Prompt’ or ‘Disable’.
  • · Press OK to return to the ‘Internet Properties’ dialog box.
  • · On the “Internet Properties’ dialog box select the ‘Local Intranet’ zone and then press ‘custom level’.
  • · Scroll down to ‘Downloads’ and set ‘Font Download’ to ‘Prompt’ or ‘Disable’.
  • · Press OK to return to the ‘Internet Properties’ dialog box.
  • · Press OK to return to the ‘Security Zones and Content Ratings’ dialog box.
  • · Press OK to return to the group policy management console.
  • · Refresh the group policy on all machines or wait for the next scheduled group policy refresh interval for the settings to take effect.

- Managed Deployment Script deployment

This security setting can be manually entered into the registry by creating a registry script and importing it either by double clicking it or running regedit.exe as part of a logon or machine startup script. For managed deployments Regedit.exe can be used to import a registry script silently with the ‘-s’ switch. For more information on regedit command line switches refer to: http://support.microsoft.com/kb/q82821/

To set this setting to ‘Prompt’ for the Internet and Local Intranet Zones paste the following text into a .REG file and then import the .REG file on managed machines as part of your organizations managed deployment process:

Windows Registry Editor Version 5.00

; Zone 1 is the local intranet zone
; 1604 is the Font download policy
; dword:00000001 sets the policy to prompt
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1604"=dword:00000001
; Zone 3 is the internet zone
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1604"=dword:00000001

To set this setting to ‘Disable’ for the Internet and Local Intranet Zones paste the following text into a .REG file and then import the .REG file on managed machines as part of your organizations managed deployment process:

Windows Registry Editor Version 5.00

; Zone 1 is the local intranet zone
; 1604 is the Font download policy
; dword:00000003 sets the policy to disable
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1604"=dword:00000003
; Zone 3 is the internet zone
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1604"=dword:00000003

Bottom Line

We encourage you to first apply the security update to address this particular vulnerability. However, you might consider also blocking the browser-based font attack surface from within Internet Explorer as a good ‘attack surface reduction’ step. The tiny minority of web pages that embed custom fonts may display differently but you will be protected from any potential browser-based attack vectors leveraging custom fonts within Internet Explorer.

- Chengyun Chu and Jonathan Ness, MSRC Engineering