MicroType Express

MicroType Express is the (optional) compression technology used by Embedded OpenType fonts. It was specifically designed to compress TrueType fonts. These fonts are generally to be found in web pages or Office documents.

Internet Explorer with EOT fonts

In this screenshot we have Internet Explorer displaying fonts download from remote. It is very easy to embed fonts in a web page.

@font-face {
    font-family: Piefont;
    font-style:  normal;
    font-weight: normal;
    src: url(PIE0.eot);
  }
@font-face {
    font-family: GS;
    font-style:  normal;
    font-weight: normal;
    src: url(GOUDYST2.eot);
  }
  @font-face {
    font-family: Garabold;
    font-style:  normal;
    font-weight: 700;
    src: url(GARAMON5.eot);
  }
  @font-face {
    font-family: Garanorm;
    font-style:  normal;
    font-weight: normal;
    src: url(GARAMON4.eot);
  }
  @font-face {
    font-family: Script;
    font-style:  normal;
    font-weight: normal;
    src: url(SCRIPTM2.eot);
  }

What happens when Internet Explorer tries to open EOT fonts is that it loads T2Embed.dll from the System32 directory.

T2Embed DLL

The job of this DLL is to convert EOT fonts back to the original OpenType format which is then parsed and displayed. Thus, EOT fonts are subject to exploits either in their MicroType Express layer or in the resulting OpenType font. In fact, lzcomp, the custom compression algorithm based on lz77 used by MicroType Express, has been exploited as a vector for remote code execution. It should be noted that the vulnerability has been reported in 2010 and the W3 submission by Microsoft of the MicroType Express standard is dated 2008. The lzcomp decompression code contained in the W3 submission does not include the patches introduced after the vulnerability was reported (I checked). So while probably few will use the code anyway, they should be careful to add safety checks in order to not include the above mentioned vulnerability in their own code.

While already with version 0.7.6 the Profiler had support for uncompressed Embedded OpenType fonts, only with the upcoming 0.7.7 version a partial support for MicroType Express has been added. I say partial because, although the embedded OpenType font gets completely decompressed, only the glyf and loca tables out of those which are deconstructed are rebuilded in order to allow the disassembling of bytecode. Tables which are not yet rebuilded are: cvt, hdmx and VDMX. The use of the T2Embed.dll for conversion was not an option, since it doesn’t fit with the Profiler safety standards.

Word doc with fonts

This is a Word Document containing Embedded OpenType fonts.:)

MSI support

Even though CAB file support is still under development, the CFBF parser already lets us inspect Windows Installer packages and patches.

MSI streams

Having such feature comes in handy when you want to analyse their contents, and eliminates the need for external tools.

In the screenshot above, I’ve selected one of the DLLs that link to MSI custom actions, i.e. code that is potentially executed as soon as Windows Installer opens the package.