Avoiding the Windows Fonts of Doom
Another day, another Windows security hole patched, but don't delay putting the latest patch in for Web font problems or you may be in for a world of hurt.
It's easy to say you should patch your Windows PC as soon as possible. But, if you have a business with hundreds of PCs, and an even greater number of ways that a patch might cause trouble, you can't be blamed for wanting to do make darn sure the patch doesn't cause more trouble than it fixes before implementing it. Except, for days like today.
You see, in the blockbuster November 2009 Windows patch fest, the fixes included a repair for a really nasty, really easy to exploit security hole: Microsoft Security Bulletin MS09-065. This Windows kernel vulnerability is found in all but the newest versions of Windows: Windows 7 and Windows Server 2008 R2. Unlike most security holes you don't have to do anything to get zapped by this one. If you use Internet Explorer to visit a malicious site that's been set up as a trap for people who are vulnerable to this bug-bang! An attacker can do pretty-much whatever he or she wants to your vulnerable PC.
At the least, they'll be able to crash your Windows PC. At most, and more likely, they'll infect it with malware. From there, you may get your financial information ripped off, become a source for spam, or even become the piggy-bank for a pervert's kiddie-porn.
While this may sound like yet another Internet Explorer bug, that's not really the case. It's actually a vulnerability that's at a lower level: the Win32k kernel mode driver.
Here's how it works. Anytime you open a booby-trapped Web page, or a Microsoft Office document, the Windows kernel improperly reads Microsoft's EOT (Embedded OpenType) fonts. EOT are a compact form of Microsoft's TrueType fonts. The idea behind EOT was to make it possible for viewers to see a Web site with Microsoft's fonts. EOT has never really taken off, but the capability, and thus the hole, is still in older versions of Windows.
It's only a matter of time now, experts agree, before crackers are using the EOT hole to start their attacks. So, the smart move is to go ahead and patch your PCs now rather than wait.
There's no other easy way to avoid the problem. Anti-virus programs are expected to have trouble spotting potential trouble since EOT is a compressed format and by the time the A/V software works out what it's doing, it's already been expanded and is in play. You could, of course, turn off IE's support for embedded fonts (Tools/Internet Options/General/Accessibility and click on Ignore font styles and Ignore font sizes) or just use Firefox or Chrome, but that still leaves your PC vulnerable to infected Word and PowerPoint documents.
No, this is a case where you just need to patch and patch now if you want to be safe.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
