Security Bulletin
Microsoft Security Bulletin MS13-060 - Critical
Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)
Published: August 13, 2013
Version: 1.0
General Information
Executive Summary
This security update resolves a privately reported vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the way that Microsoft Windows parses specific characteristics of OpenType fonts. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Knowledge Base Article
| Knowledge Base Article | 2850869 |
|---|---|
| File information | Yes |
| SHA1/SHA2 hashes | Yes |
| Known issues | None |
Affected and Non-Affected Software
The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Affected Software
| Operating System | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Windows XP | |||
| Windows XP Service Pack 3 (2850869) | Remote Code Execution | Critical | 981322 in MS10-063 |
| Windows XP Professional x64 Edition Service Pack 2 (2850869) | Remote Code Execution | Critical | 981322 in MS10-063 |
| Windows Server 2003 | |||
| Windows Server 2003 Service Pack 2 (2850869) | Remote Code Execution | Critical | 981322 in MS10-063 |
| Windows Server 2003 x64 Edition Service Pack 2 (2850869) | Remote Code Execution | Critical | 981322 in MS10-063 |
| Windows Server 2003 with SP2 for Itanium-based Systems (2850869) | Remote Code Execution | Critical | 981322 in MS10-063 |
** **
Non-Affected Software
| Software |
|---|
| Microsoft Windows |
| Windows Vista Service Pack 2 |
| Windows Vista x64 Edition Service Pack 2 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 |
| Windows Server 2008 for x64-based Systems Service Pack 2 |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 |
| Windows 7 for 32-bit Systems Service Pack 1 |
| Windows 7 for x64-based Systems Service Pack 1 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 |
| Windows 8 for 32-bit Systems |
| Windows 8 for 64-bit Systems |
| Windows Server 2012 |
| Windows RT |
| Windows Server Core installation option |
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
| Windows Server 2012 (Server Core installation) |
| Microsoft Office software |
| Microsoft Office 2003 Service Pack 3 |
| Microsoft Office 2007 Service Pack 3 |
| Microsoft Office 2010 Service Pack 1 (32-bit editions) |
| Microsoft Office 2010 Service Pack 1 (64-bit editions) |
| Microsoft Office 2013 (32-bit editions) |
| Microsoft Office 2013 (64-bit editions) |
| Microsoft Office 2013 RT |
| Microsoft Office for Mac 2011 |
| Microsoft Office Compatibility Pack Service Pack 3 |
Update FAQ
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.
| Affected Software | Uniscribe Font Parsing Engine Memory Corruption Vulnerability - CVE-2013-3181 | Aggregate Severity Rating |
|---|---|---|
| Windows XP | ||
| Windows XP Service Pack 3 | Critical Remote Code Execution | Critical |
| Windows XP Professional x64 Edition Service Pack 2 | Critical Remote Code Execution | Critical |
| Windows Server 2003 | ||
| Windows Server 2003 Service Pack 2 | Critical Remote Code Execution | Critical |
| Windows Server 2003 x64 Edition Service Pack 2 | Critical Remote Code Execution | Critical |
| Windows Server 2003 with SP2 for Itanium-based Systems | Critical Remote Code Execution | Critical |
Uniscribe Font Parsing Engine Memory Corruption Vulnerability - CVE-2013-3181
A remote code execution vulnerability exists in the Unicode Scripts Processor included in affected versions of Microsoft Windows. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-3181.
Mitigating Factors
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
- In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Workarounds
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality.
Modify the Access Control List (ACL) on usp10.dll
Modify the ACL on usp10.dll to be more restrictive.
For 32-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSTEM32\usp10.DLL /E /P everyone:NFor 64-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSWOW64\usp10.DLL /E /P everyone:NImpact of workaround. FireFox may not load. Some fonts may not render properly.
How to undo the workaround.
For 32-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSTEM32\usp10.dll /E /R everyoneFor 64-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSWOW64\usp10.dll /E /R everyoneDisable support for parsing embedded fonts in Internet Explorer
Disabling the support for the parsing of embedded fonts in Internet Explorer prevents this application from being used as an attack vector. However, additional attack vectors, such as embedded fonts within a Microsoft Office document, could still succeed.
Using the Interactive Method
- In Internet Explorer, click Internet Options on the Tools menu
- Click the Security tab
- Click Internet, and then click Custom Level
- Scroll down to the Downloads section and select Prompt or Disable for the Font Downloading security setting
- Click OK two times to return to Internet Explorer
Using Group Policy
Note The Group Policy MMC snap-in can be used to set policy for a machine, for an organizational unit or an entire domain. For more information about Group Policy, see the TechNet article, Group Policy collection.
Perform the following steps:
- Open the Group Policy Management Console and configure the console to work with the appropriate Group Policy object, such as local machine, OU, or domain GPO.
- Navigate to the following node: User Configuration - Windows Settings - Internet Explorer - Maintenance - Security
- Double-click Security Zones and Content Rating.
- In the Security Zones and Content Rating dialog box, select Import the current security zones and privacy settings and then click the Modify Settings button.
Note This will create a Group Policy for Internet Explorer based on the settings of the currently logged-on user. - In the Internet Properties dialog box, ensure the Internet zone is selected and then click Custom Level.
- Scroll down to Downloads and set Font Download to Prompt or Disable.
- Click OK to return to the Internet Properties dialog box.
- Repeat these steps for the Local Intranet zone.
- Click OK three times to return to the Group Policy Management Console.
- Refresh the Group Policy on all machines or wait for the next scheduled Group Policy refresh interval for the settings to take effect.
Using a Managed Deployment Script
This security setting can be manually entered into the registry by creating a registry script and importing it either by double-clicking it or running regedit.exe as part of a logon or machine startup script. For managed deployments Regedit.exe can be used to import a registry script silently with the /s switch. For more information on regedit command line switches, see Microsoft Knowledge Base Article 82821, "Registration Info Editor (REGEDIT) Command-Line Switches."
To set to Prompt for the Internet and Local Intranet Zones, paste the following text into a .REG file and then import the .REG file on managed machines as part of your organization's managed deployment process:
Windows Registry Editor Version 5.00
; Zone 1 is the local intranet zone ; 1604 is the Font download policy ; dword:00000001 sets the policy to prompt [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1604"=dword:00000001 ; Zone 3 is the internet zone [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1604"=dword:00000001
To set to Disable for the Internet and Local Intranet Zones, paste the following text into a .REG file and then import the .REG file on managed machines as part of your organization's managed deployment process:
Windows Registry Editor Version 5.00
; Zone 1 is the local intranet zone ; 1604 is the Font download policy ; dword:00000003 sets the policy to disable [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1604"=dword:00000003 ; Zone 3 is the internet zone [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1604"=dword:00000003
Impact of workaround. Web pages that make use of embedded font technology will fail to display properly.
FAQ
What is the scope of the vulnerability?
This is a remote code execution vulnerability.
What causes the vulnerability?
The vulnerability is caused when the Unicode Scripts Processor, included in affected versions of Microsoft Windows, incorrectly parses specific font types in a way that corrupts memory and allows for arbitrary code to be executed.
What is the Unicode Script Processor?
The Unicode Script Processor (USP10.DLL), also known as Uniscribe, is a collection of APIs that enables a text layout client to format complex scripts. Uniscribe supports the complex rules found in scripts such as Arabic, Indian, and Thai. Uniscribe also handles scripts written from right-to-left such as Arabic or Hebrew, and supports the mixing of scripts. For plain-text clients, Uniscribe provides a range of ScriptString functions that are similar to TextOut, with additional support for caret placement. The remainder of the Uniscribe interfaces provides finer control to clients.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
The Unicode Scripts Processor is a Windows component which may be used by both Microsoft software and third-party applications.
An attacker could leverage a web browser to exploit this vulnerability. For example, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
An attacker could leverage an application that supports embedded OpenType fonts to exploit this vulnerability. For example, an attacker could send a specially crafted document associated with an application that supports embedded OpenType fonts to a user and convince the user to open the file.
Note that an application could only be leveraged to exploit this vulnerability if the application used a vulnerable version of USP10.DLL in an affected version of Microsoft Windows.
What systems are primarily at risk from the vulnerability?
Desktop machines or terminal servers where users may view content that could contain malformed OpenType fonts are particularly at risk from this vulnerability.
What does the update do?
The update addresses this vulnerability by correcting the way that Microsoft Windows parses specific characteristics of OpenType fonts.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Update Information
Detection and Deployment Tools and Guidance
Several resources are available to help administrators deploy security updates.
- Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.
- Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates.
- The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications.
For information about these and other tools that are available, see Security Tools for IT Pros.
Security Update Deployment
Affected Software
For information about the specific security update for your affected software, click the appropriate link:
Windows XP (all editions)
Reference Table
The following table contains the security update information for this software.
| Security update file names | For Windows XP Service Pack 3:\ WindowsXP-KB2850869-x86-enu.exe |
|---|---|
| For Windows XP Professional x64 Edition Service Pack 2:\ WindowsServer2003.WindowsXP-KB2850869-x64-enu.exe | |
| Installation switches | See Microsoft Knowledge Base Article 262841 |
| Update log file | KB2850869.log |
| Restart requirement | In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
| Removal information | Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2850869$\Spuninst folder |
| File information | See Microsoft Knowledge Base Article 2850869 |
| Registry key verification | For all supported 32-bit editions of Windows XP:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2850869\Filelist |
| For all supported x64-based editions of Windows XP:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2850869\Filelist |
Note The update for supported versions of Windows XP Professional x64 Edition also applies to supported versions of Windows Server 2003 x64 Edition.
Windows Server 2003 (all editions)
Reference Table
The following table contains the security update information for this software.
| Security update file names | For all supported 32-bit editions of Windows Server 2003:\ WindowsServer2003-KB2850869-x86-ENU.exe |
|---|---|
| For all supported x64-based editions of Windows Server 2003:\ WindowsServer2003.WindowsXP-KB2850869-x64-enu.exe | |
| For all supported Itanium-based editions of Windows Server 2003:WindowsServer2003-KB2850869-ia64-enu.exe | |
| Installation switches | See Microsoft Knowledge Base Article 262841 |
| Update log file | KB2850869.log |
| Restart requirement | In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. |
| Removal information | Use Add or Remove Programs item in Control Panel or the Spuninst.exe utility located in the %Windir%$NTUninstallKB2850869$\Spuninst folder |
| File information | See Microsoft Knowledge Base Article 2850869 |
| Registry key verification | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2850869\Filelist |
Note The update for supported versions of Windows Server 2003 x64 Edition also applies to supported versions of Windows XP Professional x64 Edition.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
- Bob Clary of Mozilla for reporting the Uniscribe Font Parsing Engine Memory Corruption Vulnerability (CVE-2013-3181)
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (August 13, 2013): Bulletin published.
Built at 2014-04-18T13:49:36Z-07:00