OT: OpenType font vulnerability

[Trinoc]

Sorry if this is off-topic but it was the closest section I could find for the question.

Microsoft don't seem to be releasing an XP fix for the OpenType font vulnerabilities (citing end of support, unsurprisingly) so for those of still on XP (including Atom users who presumably have no alternative):

I see Palemoon loads the vulnerable driver T2EMBED.DLL. I've disabled access to this with CACLS and I haven't seen any problems so far. Is disabling this likely to cause any significant problems?

Also, does anyone know of a fixed version of this driver for XP, or possibly that the fixed version for a later version of Windows can be back-stitched into XP?

[Moonchild]

Microsoft don't seem to be releasing an XP fix for the OpenType font vulnerabilities

More than a year after the official end of an extended lifecycle - are you surprised?
You can expect more vulnerabilities to become known and eventually exploited in Windows XP. It'll be an ongoing battle to keep your usage acceptably safe.

That being said, the bulletin doesn't indicate if XP is vulnerable or not. It may or may not be.

Versions or editions that are not listed are either past their support life cycle or are not affected.

[Trinoc]

More than a year after the official end of an extended lifecycle - are you surprised?
You can expect more vulnerabilities to become known and eventually exploited in Windows XP. It'll be an ongoing battle to keep your usage acceptably safe.

Not at all surprised, but what are Atom users who can't upgrade to later Windows doing about security updates?

That being said, the bulletin doesn't indicate if XP is vulnerable or not. It may or may not be.

This is where I found the trick to disable the DLL:

http://www.verisigninc.com/en_US/security-services/security-intelligence/vulnerability-reports/articles/index.xhtml?id=811

I now see it seems to be dated 2009, so I'm not sure whether the current exploit is covered by their fix. However, it does say the exploit they are talking about affects XP.

I get the impression it only affects embedded OpenType fonts (I see many installed XP fonts such as Arial show up with the OpenType icon).

Anyway, the main question was: what effect (if any) can I expect to see from excluding T2EMBED.DLL from Palemoon (and other programs)? Will it only affect the display of web pages with their own built-in exotic fonts, leaving installed OpenType fonts usable as before?

This seems to be the case. If Arial was screwed up I'm sure I would have noticed by now. I'm pretty sure this message is displaying in Arial as I type it.

[Moonchild]

I think denying access to the dll will prevent any use of opentype fonts in all applications. I may be wrong! Should be relatively easy to check, though.

Thankfully, most XP fonts are truetype, not opentype. Common fonts have both versions installed by default (with TTF usually having a limited unicode character set). Maybe not on a fresh install? They might come with office.

And the forum uses Trebuchet if available, then verdana. Arial doesn't come into the picture until much later as fallback -- and even then if it's not available, font substitution will choose something "sans-serif" at will as last ditch effort (like Lucida Sans, Modern, or similar bitmapped fonts).

If you're going to block OTF files though, maybe it's an idea to convert them to ttf (if they can be loaded without t2embed, anyway?)

[Trinoc]

I think denying access to the dll will prevent any use of opentype fonts in all applications. I may be wrong! Should be relatively easy to check, though.

So far, OpenOffice and PDF files using Arial seem to be OK.

If you're going to block OTF files though, maybe it's an idea to convert them to ttf (if they can be loaded without t2embed, anyway?)

The system font files are all .TTF (or .FON for really old ones), but some of these display in the control panel "Fonts" app with the OpenType icon and some with the TrueType icon. I read somewhere that OpenType files sometimes have .TTF extensions and the type is determined by the content. So either the Arial.ttf file in my system isn't really OpenType (despite the icon), or disabling access to T2EMBED.DLL has not stopped system fonts being used.

It looks like the fonts which came with the system are .TTF with the OpenType icon, and fonts which I have installed later (usually from older systems) have the TrueType icon. The only .OTF fonts I have anywhere on the system are CreteRound-Italic.otf and CreteRound-Regular.otf, both of which seem to be specific to the Chrome version of Adblock Plus.

Anyway, everything seems to work so far with T2EMBED.DLL blocked. I just wondered whether anyone on this forum knew of any known pitfalls.

[LimboSlam]

Would this be related to the recently patched exploit Microsoft found? Here they say, " Versions or editions that are not listed are either past their support life cycle or are not affected," So are we vulnerable??

LINK: https://blog.malwarebytes.org/security-threat/2015/07/update-now-critical-patch-pushed-by-microsoft/

[ron_1]

Trinoc wrote:
Not at all surprised, but what are Atom users who can't upgrade to later Windows doing about security updates?

Is there another reason besides using an Atom processor that you can't upgrade? I ask because my son's computer is an Atom and it's running Windows 7 (not great, but it does work).

As for this specific vulnerability, there may be something you can do about it on XP machines if I'm reading this ghacks article correctly.
http://www.ghacks.net/2015/07/21/emergency-patch-for-windows-vulnerability-ms15-078-released-kb3079904/

LimboSlam wrote:
Would this be related to the recently patched exploit Microsoft found? Here they say, " Versions or editions that are not listed are either past their support life cycle or are not affected," So are we vulnerable??

According to the ghack article (link above), yes.

[Trinoc]

As for this specific vulnerability, there may be something you can do about it on XP machines if I'm reading this ghacks article correctly.
http://www.ghacks.net/2015/07/21/emergency-patch-for-windows-vulnerability-ms15-078-released-kb3079904/

LimboSlam wrote:
Would this be related to the recently patched exploit Microsoft found? Here they say, " Versions or editions that are not listed are either past their support life cycle or are not affected," So are we vulnerable??

According to the ghack article (link above), yes.

OK, it looks like I hit the wrong target. The offending file is ATMFD.DLL, not T2EMBED.DLL. I'm not sure why the article lists a string of shell commands to rename this .. I just renamed atmfd.dll as x-atmfd.dll in Windows Explorer with no difficulty. So far no problems with Palemoon (which didn't have it loaded anyway) or displaying either OpenOffice or PDF files.

Edit: I seem to have DLLCACHE disabled (the directory is empty). Reading comments on the ghacks article it looks like just renaming ATMFD.DLL in SYSTEM32 will cause Windows to replace it with a new copy. One commenter suggests putting these lines in a .BAT file so that they can be run quickly before Windows creates the new copy:

ren C:\WINDOWS\System32\dllcache\atmfd.dll atmfd.bak
ren C:\WINDOWS\ServicePackFiles\i386\atmfd.dll atmfd.bak
ren C:\WINDOWS\System32\atmfd.dll atmfd.bak

Edit edit: Microsoft says the culprit is T2EMBED.DLL after all, so now I don't know who to believe. I've got both DLLs disabled for now and I haven't had any problems yet.

https://technet.microsoft.com/library/security/ms10-076