There are two microsoft.com pages that relate to this situation. The problem
is that the exploit happens against the kernel (in GDI, etc.) so there is not
much to do about it in any applications.
The knowledge-base KB article is the most helpful in terms of mitigation.
Any application that handles its own TrueType font handling by other than the
Windows call that accomplish font handling and rendering need to look to see
if they have any vulnerability in their parser. This also applies to any
non-Windows support for TrueType fonts that run on the same architectures as
Windows. There's not enough public information to know what to look for. I
expect that there is cross-platform cooperation at the security-team levels on
this one.
Meanwhile, the only remedy at the moment is to apply the workarounds that
apply to Windows.
Here is what I can discern from the sketchy information:
1. The exploit requires a specially-crafted TrueType Font package.
2. The vulnerability is exploited when such a font is parsed as part of
rendering of any presentation using the Windows internal support TrueType
fonts.
3. There is a fix available at the knowledge base article. It *appears* in
my non-expert reading to prevent use of the intrinsic support for embedded
fonts, since this a potentially-appealing avenue of attack via
specially-crafted documents. Fixes to close that door, and to reopen it
later, are available at the KB article.
I suspect that the workaround has no impact on LO and OO.o operability,
although I guess the thing to do is turn on the workaround and see for sure.
I'm going to do that as soon as I do some system backups first.
- Dennis E. Hamilton
tools for document interoperability, <http://nfoWorks.org/>
dennis.hamilton@acm.org gsm: +1-206-779-9430 @orcmid
-----Original Message-----
From: Bob Williams [mailto:linux@barrowhillfarm.org.uk]
Sent: Saturday, November 05, 2011 10:25
To: users@global.libreoffice.org
Subject: Re: [libreoffice-users] MS font exploit
On 04/11/11 22:54, Tom Davies wrote:
Hi :(
Bad news from MS again.
http://technet.microsoft.com/en-us/security/advisory/2639658
http://support.microsoft.com/kb/2639658
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
I'm not sure what they mean by "Unfortunately, no robust workarounds exist
at this time other than following best practices, such as avoiding documents
from unknown parties and utilizing alternative software.". Alternative to
what? Is it just MS Office or would this affect LO too (since it goes
through fonts?)?
The common sense methods for avoiding it have limited use as we have to
sometimes read documents from sources we are not completely confident about.
It's ok for a few days.
Regards from
Tom :)
APPLIES TO
Windows 7 Service Pack 1, when used with:
Windows 7 Enterprise
Windows 7 Professional
Windows 7 Ultimate
Windows 7 Home Premium
Windows 7 Home Basic
Windows 7 Enterprise
Windows 7 Professional
Windows 7 Ultimate
Windows 7 Home Premium
Windows 7 Home Basic
Windows Server 2008 R2 Service Pack 1, when used with:
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter
Windows Server 2008 Service Pack 2, when used with:
Windows Server 2008 for Itanium-Based Systems
Windows Server 2008 Datacenter
Windows Server 2008 Enterprise
Windows Server 2008 Standard
Windows Web Server 2008
Windows Vista Service Pack 2, when used with:
Windows Vista Business
Windows Vista Enterprise
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Starter
Windows Vista Ultimate
Windows Vista Enterprise 64-bit Edition
Windows Vista Home Basic 64-bit Edition
Windows Vista Home Premium 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business 64-bit Edition
Microsoft Windows Server 2003 Service Pack 2, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for
Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for
Itanium-based Systems
Microsoft Windows XP Service Pack 3, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Whew! Yet another reason to run linux. :)
--
Bob Williams
System: Linux 2.6.37.6-0.7-desktop
Distro: openSUSE 11.4 (x86_64) with KDE Development Platform: 4.7.2
(4.7.2) "release 9"
Uptime: 06:00am up 6 days 10:59, 3 users, load average: 0.04, 0.04, 0.29
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems?
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.