Risk
High

Date Discovered
7/14/2009 12:00:00 AM

Description
Microsoft Windows is prone to a remotely exploitable integer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Remote attackers can exploit this issue to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer.

Technologies Affected
Microsoft Windows 2000 ProfessionalSP3
Microsoft Windows 2000 ProfessionalSP2
Microsoft Windows 2000 ProfessionalSP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter ServerSP3
Microsoft Windows 2000 Datacenter ServerSP2
Microsoft Windows 2000 Datacenter ServerSP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced ServerSP3
Microsoft Windows 2000 Advanced ServerSP2
Microsoft Windows 2000 Advanced ServerSP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced ServerSP4
Microsoft Windows 2000 Datacenter ServerSP4
Microsoft Windows 2000 ProfessionalSP4
Microsoft Windows 2000 ServerSP4
Microsoft Windows XP HomeSP2
Microsoft Windows XP HomeSP3
Microsoft Windows XP Media Center EditionSP2
Microsoft Windows XP Media Center EditionSP3
Microsoft Windows XP ProfessionalSP2
Microsoft Windows XP ProfessionalSP3
Microsoft Windows XP Tablet PC EditionSP2
Microsoft Windows XP Tablet PC EditionSP3
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 x64
Microsoft Windows Server 2003 Itanium
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows 2000 Server
Microsoft Windows 2000 ServerSP1
Microsoft Windows 2000 ServerSP2
Microsoft Windows 2000 ServerSP3
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows Server 2003 Datacenter Edition ItaniumSP1
Microsoft Windows Server 2003 Datacenter Edition ItaniumSP1 Beta 1
Microsoft Windows Server 2003 Datacenter EditionSP1
Microsoft Windows Server 2003 Datacenter EditionSP1 Beta 1
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Enterprise Edition ItaniumSP1
Microsoft Windows Server 2003 Enterprise Edition ItaniumSP1 Beta 1
Microsoft Windows Server 2003 Enterprise EditionSP1
Microsoft Windows Server 2003 Enterprise EditionSP1 Beta 1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Itanium
Microsoft Windows Server 2003 Itanium
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard EditionSP1
Microsoft Windows Server 2003 Standard EditionSP1 Beta 1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Web EditionSP1
Microsoft Windows Server 2003 Web EditionSP1 Beta 1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 x64
Microsoft Windows Server 2008 Datacenter Edition
Microsoft Windows Server 2008 Datacenter EditionRelease Candidate
Microsoft Windows Server 2008 Datacenter Edition
Microsoft Windows Server 2008 Enterprise Edition
Microsoft Windows Server 2008 Enterprise EditionRelease Candidate
Microsoft Windows Server 2008 Enterprise Edition
Microsoft Windows Server 2008
Microsoft Windows Server 2008 Standard Edition
Microsoft Windows Server 2008 Standard EditionRelease Candidate
Microsoft Windows Server 2008 Standard Edition
Microsoft Windows Vista
Microsoft Windows Vistabeta
Microsoft Windows VistaBeta 1
Microsoft Windows Vista
Microsoft Windows Vista Business 64-bit edition
Microsoft Windows Vista Business 64-bit edition
Microsoft Windows Vista Business 64-bit edition
Microsoft Windows Vista Enterprise 64-bit edition
Microsoft Windows Vista Enterprise 64-bit edition
Microsoft Windows Vista Enterprise 64-bit edition
Microsoft Windows Vista Home Basic 64-bit edition
Microsoft Windows Vista Home Basic 64-bit edition
Microsoft Windows Vista Home Basic 64-bit edition
Microsoft Windows Vista Home Premium 64-bit edition
Microsoft Windows Vista Home Premium 64-bit edition
Microsoft Windows Vista Home Premium 64-bit edition
Microsoft Windows VistaSP1
Microsoft Windows VistaSP2
Microsoft Windows Vista
Microsoft Windows Vista Ultimate 64-bit edition
Microsoft Windows Vista Ultimate 64-bit edition
Microsoft Windows Vista Ultimate 64-bit edition
Microsoft Windows XP
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 64-bit EditionSP1
Microsoft Windows XP Gold
Microsoft Windows XP Home
Microsoft Windows XP HomeSP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Media Center EditionSP1
Microsoft Windows XP Professional
Microsoft Windows XP ProfessionalSP1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 EditionSP3
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Tablet PC EditionSP1
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 EditionSP1
Microsoft Windows Vista x64 EditionSP2
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for 32-bit Systems
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for x64-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems
Microsoft Windows Server 2008 for Itanium-based Systems

Recommendations
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.
Do not accept or execute files from untrusted or unknown sources.
Users should never accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.
Do not accept communications that originate from unknown or untrusted sources.
Do not follow links or open email from unknown or untrusted sources.
Implement multiple redundant layers of security.
Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploit attempts of memory-corruption vulnerabilities.
Run all software as a nonprivileged user with minimal access rights.
To mitigate the impact of a successful exploit, run the affected applications as a user with minimal access rights.
Disable any services that are not needed.
Since successful exploits may require users to view HTML content in email messages, consider disabling HTML rendering in email clients to mitigate the possibility of remote exploitation. Note that disabling HTML content in email clients may reduce functionality.

The vendor has released an advisory and updates. Please see the references for details.

References
Source: Microsoft Security Bulletin MS09-029
URL: http://www.microsoft.com/technet/security/Bulletin/MS09-029.mspx

Source: Font Embedding for the Web
URL: http://www.microsoft.com/typography/web/embedding/default.aspx

Source: Microsoft Windows Homepage
URL: http://www.microsoft.com/windows/default.mspx

Source: MS09-029: Vulnerabilities in the EOT parsing engine
URL: http://blogs.technet.com/srd/archive/2009/07/14/ms09-029-vulnerabilities-in-the-eot-parsing-engine.aspx

Credits
Thomas Garnier of SkyRecon