-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0017 Title: Microsoft Windows Kernel '.fon' Font File Remote Code Execution [1] Version history: 22.11.2011 Initial publication Summary ======= Microsoft Windows is prone to a remote code-execution vulnerability. A commercial exploit is available for CORE IMPACT; urgency raised. CVE-2011-2003(Candidate) Severity Level[3]: CVSS2 Base 9.3 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required Potential impact ================ An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Failed exploit attempts will result in a denial-of-service condition. 1. An attacker crafts a malicious '.fon' font file to leverage this issue. The file may include replacement memory addresses, arbitrary code, and possibly NOP instructions. 2. The attacker uses email or other means to distribute the malicious file and to entice an unsuspecting user to open it. 3. When the file is processed, the attacker's code runs with kernel-level privileges. Vulnerable Systems ================== Among others: Avaya Aura Conferencing 6.0 Standard Avaya CallPilot 4.0 cpe:/a:avaya:callpilot_unified_messaging:4.0 SYMC Avaya CallPilot 5.0 cpe:/a:avaya:callpilot_unified_messaging:5.0 SYMC Avaya Communication Server 1000 Telephony Manager 3.0 Avaya Communication Server 1000 Telephony Manager 4.0 Various versions of Avaya Meeting Exchange Various versions of Avaya Messaging Application Server Various versions of Microsoft Windows 7 Microsoft Windows Server 2008 R2 Various versions of Microsoft Windows Server 2003 Various versions of Microsoft Windows Server 2008 Various versions of Microsoft Windows Vista Various versions of Microsoft Windows XP What can you do? ================ Solutions: Fixes are available [2]. Work-arounds: Do not accept or execute files from untrusted or unknown sources. To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. Do not follow links provided by unknown or untrusted sources. Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. Implement multiple redundant layers of security. Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. Run all software as a nonprivileged user with minimal access rights. To limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://technet.microsoft.com/en-us/security/bulletin/MS11-077 [2] http://technet.microsoft.com/en-us/security/bulletin/MS11-077 [3] CVSS details: CVSS Version 2 Scores CVSS2 Base 9.3 CVSS2 Temporal 7.7 CVSS2 Base Vector AV:N/AC:M/Au:N/C:C/I:C/A:C CVSS2 Temporal VectorE:F/RL:OF/RC:C More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOy1WiOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4PpRg//XM0dTgZR d1FoSbUFYDzV4q4xE5XV7/rnW9l51rrsaBk20D7eTEFeAUrXYsvmvCSf/j2mnUlV 6Zi/EYfWltuFGsaGw38MAXrXv6p/8l9V9/UY5wHOiRmShof2KqTcjpOG0gF50NSN FmLFUOVmOYxsqWlntFFr+oiYAGD95EEQUDX60iq5s4Xt6zfzmXWrFulUIX9dQdu1 Q0TA+whS2Lg7TnHJBXrjhyoTuzUh5mxxBvL1C7M9YFBm5NlaTseGRe8DIdqarS7b XjvCL3lQqWftxYp71Ujz75qKeVKSOo/aoNDxKq/wC0bBHkUwHltuMs036JBgb90m /CYbPGL38ffo1zFWcvNIW8kVjH9TaLIgLHQwxnAeqLaRGZmxZi18J1Cy7OrC2hMH BBpcv+ojO22fqoFWMljz+2/cZFUARjiw7pAOuQbi3I58VCSLUVAnbCwUPpxXnvu8 LkOJobQkCeKrV4UBeoInjvSD8lRbMy9d3Q9fnvcxbjebHodQaDjl5Fl+cPblbadh I0pv+fra7xcKq7DcP43svCQsqwC6Scz7KtqN2pLUCCxwvyvWEZFffv9WYl3qvFga M16EnPbdWdm70P0/FOgGOGrjOi33kUvimx71nXRsbSz0QRvVK8mTYXmvbMoZ52P9 05xuVqkSETxsEMtEaBcyRtED3H98V+QbIQc= =WPMl -----END PGP SIGNATURE-----