TTF Vuln - Discuss

[imation]

Microsoft has revealed in the advisory that the problem is with the Windows’ TrueType font parsing engine. An attacker who exploits this vulnerability can run their own code in kernel mode and then proceed, unhindered to  install programs; modify data; or create new accounts.

So im doing a bit of research on this vuln that has been pushed and publicisied recently with the duqu virus...
 
does anybody have any info how the true type font can be fettled?
 
Tar
 
iMation

[imation]

http://luc.devroye.org/embed.html
 
http://mdn.morovia.com/kb/HOWTO-Embed-True-Type-Fonts-WordPDF-documents-10006.html
 
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf

[imation]

What is T2embed.dll?

T2embed.dll file is a library that renders TrueType fonts on your computer.

How can a font be a source of infection?

Fonts are loaded into memory. For the font renderer to work it clearly has to read input (i.e. the text/font), so the only thing you have to do is craft some text/font/bytestream that leads to some buffer/heap overflow or whatever in the renderer, which then allows you to execute arbitrary code. There is apparently a security hole in the font rendering library that allows things it loads into memory to execute code.

[FuyuKitsune]

I don't think anybody will have information on it unless somebody else finds it independently. Nobody has samples of Duqu (except antivirus companies) because it only infected a few specific computers around the world, so nobody has a chance to see how the exploit works.
Microsoft realized that only a few people are at risk of infection so they aren't patching immediately. If the exploit gets released to the public there will be a patch almost immediately.

[imation]

After Speaking to a few specialist on Malware i have a little more info. as for the inner working, the symantec pdf is the best read.