Avoiding the Windows Fonts of Doom

Another day, another Windows security hole patched, but don't delay putting the latest patch in for Web font problems or you may be in for a world of hurt.

It's easy to say you should patch your Windows PC as soon as possible. But, if you have a business with hundreds of PCs, and an even greater number of ways that a patch might cause trouble, you can't be blamed for wanting to do make darn sure the patch doesn't cause more trouble than it fixes before implementing it. Except, for days like today.

You see, in the blockbuster November 2009 Windows patch fest, the fixes included a repair for a really nasty, really easy to exploit security hole: Microsoft Security Bulletin MS09-065. This Windows kernel vulnerability is found in all but the newest versions of Windows: Windows 7 and Windows Server 2008 R2. Unlike most security holes you don't have to do anything to get zapped by this one. If you use Internet Explorer to visit a malicious site that's been set up as a trap for people who are vulnerable to this bug-bang! An attacker can do pretty-much whatever he or she wants to your vulnerable PC.

At the least, they'll be able to crash your Windows PC. At most, and more likely, they'll infect it with malware. From there, you may get your financial information ripped off, become a source for spam, or even become the piggy-bank for a pervert's kiddie-porn.

While this may sound like yet another Internet Explorer bug, that's not really the case. It's actually a vulnerability that's at a lower level: the Win32k kernel mode driver.

Here's how it works. Anytime you open a booby-trapped Web page, or a Microsoft Office document, the Windows kernel improperly reads Microsoft's EOT (Embedded OpenType) fonts. EOT are a compact form of Microsoft's TrueType fonts. The idea behind EOT was to make it possible for viewers to see a Web site with Microsoft's fonts. EOT has never really taken off, but the capability, and thus the hole, is still in older versions of Windows.

It's only a matter of time now, experts agree, before crackers are using the EOT hole to start their attacks. So, the smart move is to go ahead and patch your PCs now rather than wait.

There's no other easy way to avoid the problem. Anti-virus programs are expected to have trouble spotting potential trouble since EOT is a compressed format and by the time the A/V software works out what it's doing, it's already been expanded and is in play. You could, of course, turn off IE's support for embedded fonts (Tools/Internet Options/General/Accessibility and click on Ignore font styles and Ignore font sizes) or just use Firefox or Chrome, but that still leaves your PC vulnerable to infected Word and PowerPoint documents.

No, this is a case where you just need to patch and patch now if you want to be safe.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies