HighIBM Security Server Protection for Windows, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Server Sensor, RealSecure Network, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a specially crafted Embedded OpenType Font file.
High
IBM Security Server Protection for Windows: 1.0.914.2410, IBM Security Server Protection for Windows: 2.0.300.2410, IBM Security Server Protection for Windows: 2.1.14.2410, Proventia Network MFS: XPU 29.070, Proventia Network IDS: XPU 29.070, Proventia-G 1.1 and earlier: XPU 29.070, RealSecure Server Sensor: XPU 29.070, RealSecure Network: XPU 29.070, Proventia Desktop: 2410, Proventia Network IPS: XPU 29.070, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.070
Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows Server 2008: SP2 Itanium
Unauthorized Access Attempt
Microsoft Windows is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the Embedded OpenType Font Engine (T2EMBED.DLL). By persuading a victim to open a specially-crafted file containing EOT font embedded in the document, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS09-029
Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
http://www.microsoft.com/technet/security/bulletin/ms09-029.mspx
iDefense PUBLIC ADVISORY: 07.14.09
Microsoft Embedded OpenType Font Engine (T2EMBED.DLL) Heap Buffer Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=811
Microsoft Security Bulletin MS10-001
Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (972270)
http://www.microsoft.com/technet/security/bulletin/ms10-001.mspx
ISS X-Force
Microsoft Windows EOT buffer overflow
http://www.iss.net/security_center/static/50758.php
CVE
CVE-2009-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0231