=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN527
_____________________________________________________________________

DATE                      : 15/12/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows XP, Windows Vista, Windows 7, Windows Server 2003,
                             Windows Server 2008 running OpenType Font Driver.

======================================================================
KB2296199
http://www.microsoft.com/technet/security/Bulletin/MS10-091.mspx
______________________________________________________________________

Microsoft Security Bulletin MS10-091 - Critical
Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code
Execution (2296199)

Version: 1.0

General Information

Executive Summary

  This security update resolves several privately reported vulnerabilities in
  the Windows Open Type Font (OTF) driver that could allow remote code
  execution. An attacker could host a specially crafted OpenType font on a
  network share. The affected control path is then triggered when the user
  navigates to the share in Windows Explorer, allowing the specially crafted
  font to take complete control over an affected system. An attacker could
  then install programs; view, change, or delete data; or create new accounts
  with full user rights.

  This security update is rated Critical for all supported editions of Windows
  Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This
  security update is also rated Important for all supported editions of
  Windows XP and Windows Server 2003. For more information, see the
  subsection, Affected and Non-Affected Software, in this section.

  The security update addresses the vulnerabilities by correcting the way that
  the OpenType Font (OTF) driver indexes arrays when parsing OpenType fonts,
  resets pointers when freeing memory, and parses the CMAP table when
  rendering OpenType fonts. For more information about the vulnerabilities,
  see the Frequently Asked Questions (FAQ) subsection for the specific
  vulnerability entry under the next section, Vulnerability Information.

Affected Software

  Windows XP Service Pack 3
  Windows XP Professional x64 Edition Service Pack 2
  Windows Server 2003 Service Pack 2
  Windows Server 2003 x64 Edition Service Pack 2
  Windows Server 2003 with SP2 for Itanium-based Systems
  Windows Vista Service Pack 1
  Windows Vista Service Pack 2
  Windows Vista x64 Edition Service Pack 1
  Windows Vista x64 Edition Service Pack 2
  Windows Server 2008 for 32-bit Systems
  Windows Server 2008 for 32-bit Systems Service Pack 2*
  Windows Server 2008 for x64-based Systems
  Windows Server 2008 for x64-based Systems Service Pack 2*
  Windows Server 2008 for Itanium-based Systems
  Windows Server 2008 for Itanium-based Systems Service Pack 2
  Windows 7 for 32-bit Systems
  Windows 7 for x64-based Systems
  Windows Server 2008 R2 for x64-based Systems*
  Windows Server 2008 R2 for Itanium-based Systems

Vulnerability Information

OpenType Font Index Vulnerability - CVE-2010-3956

  A remote code execution vulnerability exists in the way that the OpenType
  Font (OTF) driver improperly parses specially crafted OpenType fonts. An
  attacker who successfully exploited this vulnerability could run arbitrary
  code in kernel mode. An attacker could then install programs; view, change,
  or delete data; or create new accounts with full user rights.

OpenType Font Double Free Vulnerability - CVE-2010-3957

  A remote code execution vulnerability exists in the way that the OpenType
  Font (OTF) driver improperly parses specially crafted OpenType fonts. An
  attacker who successfully exploited this vulnerability could run arbitrary
  code in kernel mode. An attacker could then install programs; view, change,
  or delete data; or create new accounts with full user rights.

OpenType CMAP Table Vulnerability - CVE-2010-3959

  A remote code execution vulnerability exists in the way that the OpenType
  Font (OTF) driver improperly parses specially crafted OpenType fonts. An
  attacker who successfully exploited this vulnerability could run arbitrary
  code in kernel mode. An attacker could then install programs; view,
  change, or delete data; or create new accounts with full user rights.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================