Microsoft Security Bulletin MS14-079 - Moderate

Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)

Published: November 11, 2014

Version: 1.0

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

This security update is rated Moderate for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by ensuring that the Windows kernel-mode driver properly validates array indexes when loading TrueType font files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3002885.

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

 

Operating System

Maximum Security Impact

Aggregate Severity Rating

Updates Replaced

Windows Server 2003

Windows Server 2003 Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2003 x64 Edition Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2003 with SP2 for Itanium-based Systems
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Vista

Windows Vista Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Vista x64 Edition Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008 for x64-based Systems Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows 7 for x64-based Systems Service Pack 1
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows 8 for x64-based Systems
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows 8.1 for 32-bit Systems
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows 8.1 for x64-based Systems
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2012 R2
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows RT and Windows RT 8.1

Windows RT[1]
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows RT 8.1[1]
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2012 (Server Core installation)
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

Windows Server 2012 R2 (Server Core installation)
(3002885)

Denial of Service

Moderate

3000061 in MS14-058

[1]This update is available via Windows Update only.

 

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software

Affected Software

Denial of Service in Windows Kernel Mode Driver Vulnerability - CVE-2014-6317

Aggregate Severity Rating

Windows Server 2003

Windows Server 2003 Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2003 x64 Edition Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2003 with SP2 for Itanium-based Systems
(3002885)

Moderate 
Denial of Service

Moderate

Windows Vista

Windows Vista Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows Vista x64 Edition Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008 for x64-based Systems Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008 for Itanium-based Systems Service Pack 2
(3002885)

Moderate 
Denial of Service

Moderate

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(3002885)

Moderate 
Denial of Service

Moderate

Windows 7 for x64-based Systems Service Pack 1
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(3002885)

Moderate 
Denial of Service

Moderate

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems
(3002885)

Moderate 
Denial of Service

Moderate

Windows 8 for x64-based Systems
(3002885)

Moderate 
Denial of Service

Moderate

Windows 8.1 for 32-bit Systems
(3002885)

Moderate 
Denial of Service

Moderate

Windows 8.1 for x64-based Systems
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2012 R2
(3002885)

Moderate 
Denial of Service

Moderate

Windows RT and Windows RT 8.1

Windows RT
(3002885)

Moderate 
Denial of Service

Moderate

Windows RT 8.1
(3002885)

Moderate 
Denial of Service

Moderate

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2012 (Server Core installation)
(3002885)

Moderate 
Denial of Service

Moderate

Windows Server 2012 R2 (Server Core installation)
(3002885)

Moderate 
Denial of Service

Moderate

 

A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses this vulnerability by ensuring that the Windows kernel-mode driver properly validates array indexes when loading TrueType font files.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
  • The malicious file could be sent as an email attachment, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.

Workarounds

The following workarounds may be helpful in your situation:

  • Deny access to T2EMBED.DLL

    On Windows Server 2003:

    • For 32-bit systems, enter the following command at an administrative command prompt:
      Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N
      
    • For 64-bit systems, enter the following command at an administrative command prompt:
      Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N
      Echo y| cacls "%windir%\syswow64\t2embed.dll" /E /P everyone:N
      

    On Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2:

    • For 32-bit systems, enter the following command at an administrative command prompt:
      Takeown.exe /f "%windir%\system32\t2embed.dll"
      Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)
      
    • For 64-bit systems, enter the following command at an administrative command prompt:
      Takeown.exe /f "%windir%\system32\t2embed.dll"
      Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)
      Takeown.exe /f "%windir%\syswow64\t2embed.dll"
      Icacls.exe "%windir%\syswow64\t2embed.dll" /deny everyone:(F)
      

    Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.

    How to undo the workaround.

    On Windows Server 2003:

    • For 32-bit systems, enter the following command at an administrative command prompt:
      cacls "%windir%\system32\t2embed.dll" /E /R everyone
      
    • For 64-bit systems, enter the following command at an administrative command prompt:
      cacls "%windir%\system32\t2embed.dll" /E /R everyone
      cacls "%windir%\syswow64\t2embed.dll" /E /R everyone
      

    On Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2:

    • For 32-bit systems, enter the following command at an administrative command prompt:
      Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d  everyone
      
    • For 64-bit systems, enter the following command at an administrative command prompt:
      Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d  everyone
      Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d  everyone
      

FAQ

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could cause the target system to stop responding and restart.

How could an attacker exploit the vulnerability? 
An attacker could host a specially crafted TrueType font on a network share and when the user navigates to the share in Windows Explorer, the affected control path is triggered via the Details and Preview panes. The specially crafted TrueType font could then exploit the vulnerability and cause the system to stop responding.

In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by convincing the user to open the file in an affected version of Microsoft Windows software.

In a web-based attack scenario, an attacker could host a website that contains a file that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's site, and then convince them to open the specially crafted file in an affected version of Microsoft Windows software.

What systems are primarily at risk from the vulnerability? 
Workstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

For Security Update Deployment information see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

  • V1.0 (November 11, 2014): Bulletin published.

Page generated 2015-01-14 12:02Z-08:00.
Show: