RE: [libreoffice-users] MS font exploit

There are two microsoft.com pages that relate to this situation.  The problem 
is that the exploit happens against the kernel (in GDI, etc.) so there is not 
much to do about it in any applications.

The knowledge-base KB article is the most helpful in terms of mitigation.

Any application that handles its own TrueType font handling by other than the 
Windows call that accomplish font handling and rendering need to look to see 
if they have any vulnerability in their parser.  This also applies to any 
non-Windows support for TrueType fonts that run on the same architectures as 
Windows.  There's not enough public information to know what to look for. I 
expect that there is cross-platform cooperation at the security-team levels on 
this one.

Meanwhile, the only remedy at the moment is to apply the workarounds that 
apply to Windows.

Here is what I can discern from the sketchy information:

 1. The exploit requires a specially-crafted TrueType Font package.
 2. The vulnerability is exploited when such a font is parsed as part of 
rendering of any presentation using the Windows internal support TrueType 
fonts.
 3. There is a fix available at the knowledge base article.  It *appears* in 
my non-expert reading to prevent use of the intrinsic support for embedded 
fonts, since this a potentially-appealing avenue of attack via 
specially-crafted documents.  Fixes to close that door, and to reopen it 
later, are available at the KB article.

I suspect that the workaround has no impact on LO and OO.o operability, 
although I guess the thing to do is turn on the workaround and see for sure.

I'm going to do that as soon as I do some system backups first.



 - Dennis E. Hamilton
   tools for document interoperability,  <http://nfoWorks.org/>
   dennis.hamilton@acm.org  gsm: +1-206-779-9430  @orcmid




-----Original Message-----
From: Bob Williams [mailto:linux@barrowhillfarm.org.uk]
Sent: Saturday, November 05, 2011 10:25
To: users@global.libreoffice.org
Subject: Re: [libreoffice-users] MS font exploit

On 04/11/11 22:54, Tom Davies wrote:
> Hi :(
>
> Bad news from MS again.
> http://technet.microsoft.com/en-us/security/advisory/2639658
> http://support.microsoft.com/kb/2639658
>
>
>
> http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
> I'm not sure what they mean by "Unfortunately, no robust workarounds exist 
> at this time other than following best practices, such as avoiding documents 
> from unknown parties and utilizing alternative software.".  Alternative to 
> what?  Is it just MS Office or would this affect LO too (since it goes 
> through fonts?)?
>
> The common sense methods for avoiding it have limited use as we have to 
> sometimes read documents from sources we are not completely confident about. 
> It's ok for a few days.
> Regards from
> Tom :)
APPLIES TO

     Windows 7 Service Pack 1, when used with:
         Windows 7 Enterprise
         Windows 7 Professional
         Windows 7 Ultimate
         Windows 7 Home Premium
         Windows 7 Home Basic
     Windows 7 Enterprise
     Windows 7 Professional
     Windows 7 Ultimate
     Windows 7 Home Premium
     Windows 7 Home Basic
     Windows Server 2008 R2 Service Pack 1, when used with:
         Windows Server 2008 R2 Standard
         Windows Server 2008 R2 Enterprise
         Windows Server 2008 R2 Datacenter
     Windows Server 2008 R2 Standard
     Windows Server 2008 R2 Enterprise
     Windows Server 2008 R2 Datacenter
     Windows Server 2008 Service Pack 2, when used with:
         Windows Server 2008 for Itanium-Based Systems
         Windows Server 2008 Datacenter
         Windows Server 2008 Enterprise
         Windows Server 2008 Standard
         Windows Web Server 2008
     Windows Vista Service Pack 2, when used with:
         Windows Vista Business
         Windows Vista Enterprise
         Windows Vista Home Basic
         Windows Vista Home Premium
         Windows Vista Starter
         Windows Vista Ultimate
         Windows Vista Enterprise 64-bit Edition
         Windows Vista Home Basic 64-bit Edition
         Windows Vista Home Premium 64-bit Edition
         Windows Vista Ultimate 64-bit Edition
         Windows Vista Business 64-bit Edition
     Microsoft Windows Server 2003 Service Pack 2, when used with:
         Microsoft Windows Server 2003, Standard Edition (32-bit x86)
         Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
         Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
         Microsoft Windows Server 2003, Web Edition
         Microsoft Windows Server 2003, Datacenter x64 Edition
         Microsoft Windows Server 2003, Enterprise x64 Edition
         Microsoft Windows Server 2003, Standard x64 Edition
         Microsoft Windows XP Professional x64 Edition
         Microsoft Windows Server 2003, Datacenter Edition for
Itanium-Based Systems
         Microsoft Windows Server 2003, Enterprise Edition for
Itanium-based Systems
     Microsoft Windows XP Service Pack 3, when used with:
         Microsoft Windows XP Home Edition
         Microsoft Windows XP Professional

Whew! Yet another reason to run linux. :)
-- 
Bob Williams
System:  Linux 2.6.37.6-0.7-desktop
Distro:  openSUSE 11.4 (x86_64) with KDE Development Platform: 4.7.2
(4.7.2) "release 9"
Uptime:  06:00am up 6 days 10:59, 3 users, load average: 0.04, 0.04, 0.29

-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? 
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted