Following the usual cycle of monthly patch releases, Microsoft just issued its first for this year yesterday. Microsoft has released one advisory to address the vulnerability found in the way the Embedded OpenType (EOT) Font Engine can render a specially crafted EOT font file in several Microsoft applications such as Internet Explorer (IE), PowerPoint, and Word.
An EOT font is a type of OpenType font with the .eot extension. Microsoft created EOT fonts to have them embedded in Web pages to discourage copying (and eventually, using) copyrighted fonts online, which is almost always a possibility.
According to the official Microsoft bulletin, once the EOT Engine renders a malformed .EOT file, attackers could use the vulnerability to take complete control of the system. This means that they would be able to perform tasks on an affected machine such as installing new programs, deleting important files, or creating new accounts, all without the user’s knowledge. Microsoft has given MS10-001 an Exploitability Index rating of “2,” which means it can be replicated but the outcome of its use would always vary, thus, inconsistent. Note, however, that this rating only applies to systems running Windows 2000. Later versions are unlikely to be exploited.
Below is a list of other updates regarding vulnerabilities and patches:
- A proof-of-concept (POC) exploit for Mac OS X has just been released. For details, refer here. Note that in this Registry article, Apple has been informed about the said exploit last June 2009 but decided to sit on the matter.
- Microsoft, too, did its share of sitting on vulnerability concerns rather than addressing them. As of this writing, a security patch for a vulnerability found in SMB that could be used for a denial-of-service (DoS) attacks has yet to be released.