Microsoft Security Bulletin MS14-079 - Moderate
Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)
Published: November 11, 2014
Version: 1.0
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker places a specially crafted TrueType font on a network share and a user subsequently navigates there in Windows Explorer. In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
This security update is rated Moderate for all supported releases of Microsoft Windows. For more information, see the Affected Software section.
The security update addresses the vulnerability by ensuring that the Windows kernel-mode driver properly validates array indexes when loading TrueType font files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.
For more information about this update, see Microsoft Knowledge Base Article 3002885.
Affected Software
The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
| Operating System | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Windows Server 2003 | |||
| Windows Server 2003 Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2003 x64 Edition Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2003 with SP2 for Itanium-based Systems (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Vista | |||
| Windows Vista Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Vista x64 Edition Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 | |||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows 7 | |||
| Windows 7 for 32-bit Systems Service Pack 1 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows 7 for x64-based Systems Service Pack 1 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 R2 | |||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows 8 and Windows 8.1 | |||
| Windows 8 for 32-bit Systems (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows 8 for x64-based Systems (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows 8.1 for 32-bit Systems (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows 8.1 for x64-based Systems (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2012 and Windows Server 2012 R2 | |||
| Windows Server 2012 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2012 R2 (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows RT and Windows RT 8.1 | |||
| Windows RT[1](3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows RT 8.1[1](3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Server Core installation option | |||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2012 (Server Core installation) (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
| Windows Server 2012 R2 (Server Core installation) (3002885) | Denial of Service | Moderate | 3000061 in MS14-058 |
[1]This update is available via Windows Update only.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.
| Vulnerability Severity Rating and Maximum Security Impact by Affected Software | ||
|---|---|---|
| Affected Software | Denial of Service in Windows Kernel Mode Driver Vulnerability - CVE-2014-6317 | Aggregate Severity Rating |
| Windows Server 2003 | ||
| Windows Server 2003 Service Pack 2 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows Server 2003 x64 Edition Service Pack 2 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows Server 2003 with SP2 for Itanium-based Systems (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Vista | ||
| Windows Vista Service Pack 2 (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Vista x64 Edition Service Pack 2 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows Server 2008 | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2008 for x64-based Systems Service Pack 2 (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2008 for Itanium-based Systems Service Pack 2 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows 7 | ||
| Windows 7 for 32-bit Systems Service Pack 1 (3002885) | Moderate\ Denial of Service | Moderate |
| Windows 7 for x64-based Systems Service Pack 1 (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2008 R2 | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows 8 and Windows 8.1 | ||
| Windows 8 for 32-bit Systems (3002885) | Moderate \ Denial of Service | Moderate |
| Windows 8 for x64-based Systems (3002885) | Moderate\ Denial of Service | Moderate |
| Windows 8.1 for 32-bit Systems (3002885) | Moderate \ Denial of Service | Moderate |
| Windows 8.1 for x64-based Systems (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2012 and Windows Server 2012 R2 | ||
| Windows Server 2012 (3002885) | Moderate \ Denial of Service | Moderate |
| Windows Server 2012 R2 (3002885) | Moderate\ Denial of Service | Moderate |
| Windows RT and Windows RT 8.1 | ||
| Windows RT (3002885) | Moderate\ Denial of Service | Moderate |
| Windows RT 8.1 (3002885) | Moderate \ Denial of Service | Moderate |
| Server Core installation option | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2012 (Server Core installation) (3002885) | Moderate\ Denial of Service | Moderate |
| Windows Server 2012 R2 (Server Core installation) (3002885) | Moderate\ Denial of Service | Moderate |
Denial of Service in Windows Kernel Mode Driver Vulnerability - CVE-2014-6317
A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued,****Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The update addresses this vulnerability by ensuring that the Windows kernel-mode driver properly validates array indexes when loading TrueType font files.
Mitigating Factors
The following mitigating factors may be helpful in your situation:
- In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to persuade users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.
- The malicious file could be sent as an email attachment, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.
Workarounds
The following workarounds may be helpful in your situation:
Deny access to T2EMBED.DLL
On Windows Server 2003:
For 32-bit systems, enter the following command at an administrative command prompt:
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:NFor 64-bit systems, enter the following command at an administrative command prompt:
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N Echo y| cacls "%windir%\syswow64\t2embed.dll" /E /P everyone:N
On Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2:
For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f "%windir%\system32\t2embed.dll" Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)For 64-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f "%windir%\system32\t2embed.dll" Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F) Takeown.exe /f "%windir%\syswow64\t2embed.dll" Icacls.exe "%windir%\syswow64\t2embed.dll" /deny everyone:(F)
Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.
How to undo the workaround.
On Windows Server 2003:
For 32-bit systems, enter the following command at an administrative command prompt:
cacls "%windir%\system32\t2embed.dll" /E /R everyoneFor 64-bit systems, enter the following command at an administrative command prompt:
cacls "%windir%\system32\t2embed.dll" /E /R everyone cacls "%windir%\syswow64\t2embed.dll" /E /R everyone
On Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2:
For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyoneFor 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone
FAQ
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the target system to stop responding and restart.
How could an attacker exploit the vulnerability?
An attacker could host a specially crafted TrueType font on a network share and when the user navigates to the share in Windows Explorer, the affected control path is triggered via the Details and Preview panes. The specially crafted TrueType font could then exploit the vulnerability and cause the system to stop responding.
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by convincing the user to open the file in an affected version of Microsoft Windows software.
In a web-based attack scenario, an attacker could host a website that contains a file that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's site, and then convince them to open the specially crafted file in an affected version of Microsoft Windows software.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Security Update Deployment
For Security Update Deployment information see the Microsoft Knowledge Base article referenced in the Executive Summary.
Acknowledgments
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (November 11, 2014): Bulletin published.
Page generated 2015-01-14 12:02Z-08:00.