Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.


Microsoft Embedded OpenType (.eot) Font Parsing Heap Overflow Vulnerability

Reference ID: SSA-1021
Publication date: 12.10.2010
Severity: critical
Discovered by: Sebastian Apelt

Affected versions: please check the Microsoft advisory for affected OS versions

A critical vulnerability exists in the .eot (Embedded OpenType) parsing code within t2embed.dll. When parsing embedded MTX-compressed (MicroType Express) font files the multiplication of two controlled values can lead to an integer overflow which will result in a heap overflow later on. This heap overflow can be abused to achieve code execution in the process which performs the .eot-parsing (probably IE-only).

The vulnerability specifically exists in the parsing code of the _MTX_TTC_CTF_To_TTF function. In order to reach the vulnerable code the font file needs an embedded ‘hdmx’ tag. The hdmx-header looks as follows:

Datatype Name Description
USHORT Version Table version number
USHORT numRecords Number of device records
LONG sizeDeviceRecords Size of device record
DeviceRecord Records[numRecords] Array of device records

The problem is an unchecked multiplication of numRecords * sizeDeviceRecords which can lead to an int32 overflow. This will result in the allocation of a small-sized buffer which will be overflown later. The heap overflow can be abused to execute code in the browser context.

Microsoft Security Advisory MS10-076