Patch Tuesday: Malicious fonts bedevil Microsoft Windows

Microsoft fixes multiple vulnerabilities in how the company's software renders TrueType fonts

Of the six critical security bulletins Microsoft issued in its Patch Tuesday monthly release of software updates, three address a vulnerability in how Microsoft software renders fonts.

"Fonts have become really complicated," said Wolfgang Kandek, chief technology officer for compliance and security software company Qualys. "There is real processing going on when you print a character, and that complexity can be attacked."

The number of critical bulletins Microsoft released this month is a bit higher than normal, Kandek said. Typically, Microsoft will issue about two or three critical bulletins on Patch Tuesday, which occurs on the second Tuesday of each month. This month half the bulletins -- MS13-052, MS13-053 and MS13-054 -- address how Microsoft systems handle the rendering of TrueType fonts.

With this vulnerability, an attacker can embed malicious values in a font description that would overrun the memory allocated to the font-drawing routine, and write into sections of memory reserved for other operations. The font instructions could be provided to Windows or Internet Explorer (IE) by way of a Web page or a document.

"Depending on where this happens, this can be quite serious," Kandek said.

Windows, for instance, renders all characters onto the screen as a system user, not as a standard user, which has fewer system privileges. An exploit of a font-rendering vulnerability could "go right into the operating system and take control at that level," Kandek said.

Overall, Microsoft issued six critical bulletins, covering Windows OS, the .NET Framework, Silverlight, Office, Visual Studio, Lync and IE. A seventh bulletin, labeled as important, covers the Windows Defender security software.

All six of the critical bulletins include remote code execution vulnerabilities, which can be used to provide attackers with illicit access to machines.

Seventeen of the 34 vulnerabilities covered in the bulletins address IE. "Researchers continue to find flaws in IE, and the attack surface is pretty big," Kandek said, referring to how Microsoft is now supporting five different versions of the browser. The vulnerabilities affect IE versions six through 10 that run on Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server 2003, Windows Server 2008 and Windows RT.

"The major problem there is that users or companies still maintain old versions of the browser. We would be better off if everyone was on the newer version" of IE, Kandek said.

One Windows vulnerability, which affects memory management, has already been publicly revealed, and has been used for an exploit that can run on the Metasploit penetration testing software. Security researchers are urging administrators to update their own versions of Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 2008, Windows 2012 and Windows RT as soon as possible.

"July is one of the uglier releases we've seen from Microsoft this year. To say that all Microsoft products are affected and everything is affected critically is not an overstatement," wrote Lumension security and forensic analyst Paul Henry in an email statement. "It's difficult to prioritize one or two because all the bulletins likely need your attention this Patch Tuesday."

In addition to Microsoft patches, administrators should also take a look at Adobe's monthly set of patches, also released Tuesday. They cover vulnerabilities in Adobe Flash, Shockwave and ColdFusion, which is server-side software for rendering websites.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftpatch managementmalwarepatchesExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?