SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#915930

Microsoft embedded web font buffer overflow

Overview

A heap-based buffer overflow in the way Microsoft Windows processes embedded web fonts may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Windows contains a heap-based buffer overflow in a routine that processes embedded web fonts. The overflow exists due to a lack of validation on compressed embedded web fonts. A remote attacker may be able to trigger the buffer overflow by persuading a user to access a web page or HTML email containing a specially crafted embedded web font.

For more information about affected versions of Microsoft Windows, please refer to MS06-002.

II. Impact

A remote attacker may be able to execute arbitrary code with the privileges of the attacked user account.

III. Solution

Apply an update

Microsoft Security Bulletin MS06-002 contains an update to correct this vulnerability.

In addition Microsoft suggests the following workarounds to mitigate this vulnerability:

  • Read and send email in plain text format
  • Configure Font Download to “Prompt or Disable” in the Internet and Local Intranet Zones.

Please see Microsoft Security Bulletin MS06-002 for details on these workarounds.

Systems Affected
VendorStatusDate Updated
Microsoft CorporationVulnerable10-Jan-2006

References


http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx
http://www.microsoft.com/typography/web/embedding/

Credit

This vulnerability was reported in Microsoft Security Bulletin MS06-002. Microsoft credits eEye Digital Security with providing information regarding this issue.

This document was written by Jeff Gennari.

Other Information

Date Public01/10/2006
Date First Published01/10/2006 03:26:29 PM
Date Last Updated01/10/2006
CERT Advisory 
CVE NameCVE-2006-0010
US-CERT Technical Alerts 
Metric10.69
Document Revision24

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader