MS09-029: Vulnerabilities in the EOT parsing engine

Today we released MS09-029, which addresses vulnerabilities related to EOT font files. To answer a few commonly asked questions, here is a brief FAQ regarding the update:

Q: What is the EOT file format?
A: EOT stands for Embedded OpenType Font. EOT support in Microsoft applications has existed for many years. It allows the fonts used in the creation of a document to travel with that document, ensuring that a user sees documents exactly as the designer intended them. Font embedding technology also exists on the web, allowing web pages to embed their own fonts.

Q: What is the risk?
A: Two commonly used applications which consume EOT files are Internet Explorer and Microsoft Office. A snippet of html used to render a specific font in Internet Explorer would look something like this:


@font-face { font-family: “zhfont”; src: url(foo.eot) }


It possible to navigate to a web site and have it render HTML, which then attempts to load a malicious font file. As a result, there is a “browse and get owned” attack scenario and we recommend updating your system as soon as you can.

Q: How effective are the different workaround options listed in the bulletin?
A: The different workaround options listed in the bulletin are all effective, though ACL’ing t2embed.dll is perhaps the best cross-product method workaround because it will prevent unidentified applications from loading t2embed.dll as well. Do remember that if you choose to ACL the binary as a workaround, you will need to un-ACL it before applying security update or update will fail.

Q: If I ACL t2embed.dll, will IE/Office still work?
A: Yes. If you browse to a site which tries to install a font, you will be able to view the site though you will not render the font provided by that site.

Q: Is the EOT functionality reachable through 3rd party code?
A: Yes. The t2embed library provides EOT functionality that can be used by 3rd party code. Many 3rd parties import t2embed for their font rendering, though some may chose to implement their own font rendering.

– Brian Cavenah, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*