Microsoft Windows kernel font code execution (Windows_Kernel_Font_Code_Execution)

About this signature or vulnerability

Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IPS, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Server for VMware:

This event triggers when a malformed EOT file is detected.


False positives

Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IPS, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Server for VMware: None

False negatives

Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IPS, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Server for VMware: This event will not trigger when an TTF or EOT file is compressed.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Linux technology: 29.110, RealSecure Network: XPU 29.110, RealSecure Server Sensor: XPU 29.110, Proventia Network IDS: XPU 29.110, Proventia-G 1.1 and earlier: XPU 29.110, Proventia Desktop: 2450, Proventia Network IPS: XPU 29.110, Proventia Network MFS: XPU 29.110, Proventia Server IPS for Microsoft Windows technology: 2.0.300.2450, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2450, Proventia Server for VMware: 1.0

Systems affected

Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows XP: SP3

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows kernel-mode drivers could allow a remote attacker to execute arbitrary code on the system, caused by the improper parsing of font code when building a table of directory entries. By persuading a victim to open a specially-crafted file containing EOT font embedded in the document, a remote attacker could execute arbitrary code on the system or cause the application to crash.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS09-065. See References.

References

Microsoft Security Bulletin MS09-065
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
http://www.microsoft.com/technet/security/bulletin/ms09-065.mspx

IBM Internet Security Systems Protection Alert
Microsoft Windows kernel font code execution
http://www.iss.net/threats/354.html

ISS X-Force
Microsoft Windows kernel font code execution
http://www.iss.net/security_center/static/53974.php

CVE
CVE-2009-2514
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2514