Microsoft Windows kernel font code execution (Windows_Kernel_Font_Code_Execution)

About this signature or vulnerability

Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Host Protection for Servers (Unix), Virtual Server Protection for Vmware, IBM Security Host Protection for Desktops, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This event triggers when a malformed EOT file is detected.


False positives

Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Host Protection for Servers (Unix), Virtual Server Protection for Vmware, IBM Security Host Protection for Desktops, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor: None

False negatives

Proventia Server IPS for Linux technology, Proventia Network IPS, IBM Security Host Protection for Servers (Unix), Virtual Server Protection for Vmware, IBM Security Host Protection for Desktops, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor: This event will not trigger when an TTF or EOT file is compressed.

Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Linux technology: 29.110, Proventia Network IPS: XPU 29.110, IBM Security Host Protection for Servers (Unix): 2.2.2, Virtual Server Protection for Vmware: 1.0, IBM Security Host Protection for Desktops: 2450, Proventia Network MFS: XPU 29.110, Proventia-G 1.1 and earlier: XPU 29.110, Proventia Network IDS: XPU 29.110, IBM Security Host Protection for Servers (Windows): 2.0.300.2450, IBM Security Host Protection for Servers (Windows): 1.0.914.2450, IBM Security Host Protection for Servers (Windows): 2.1.14.2450, RealSecure Server Sensor: XPU 29.110

Systems affected

Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows XP: SP3

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows kernel-mode drivers could allow a remote attacker to execute arbitrary code on the system, caused by the improper parsing of font code when building a table of directory entries. By persuading a victim to open a specially-crafted file containing EOT font embedded in the document, a remote attacker could execute arbitrary code on the system or cause the application to crash.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Microsoft Security Bulletin MS09-065
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
http://www.microsoft.com/technet/security/bulletin/ms09-065.mspx

IBM Internet Security Systems Protection Alert
Microsoft Windows kernel font code execution
http://www.iss.net/threats/354.html

Microsoft Security Bulletin MS10-032
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559)
http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx

Microsoft Security Bulletin MS10-048
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)
http://www.microsoft.com/technet/security/bulletin/ms10-048.mspx

Microsoft Security Bulletin MS10-073
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)
http://www.microsoft.com/technet/security/bulletin/ms10-073.mspx

Microsoft Security Bulletin MS10-098
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)
http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx

Microsoft Security Bulletin MS11-012
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)
http://www.microsoft.com/technet/security/bulletin/ms11-012.mspx

Microsoft Security Bulletin MS11-034
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223)
http://www.microsoft.com/technet/security/bulletin/ms11-034.mspx

Microsoft Security Bulletin MS11-041
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
http://www.microsoft.com/technet/security/bulletin/ms11-041.mspx

Microsoft Security Bulletin MS11-054
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
http://www.microsoft.com/technet/security/bulletin/ms11-054.mspx

Microsoft Security Bulletin MS11-054
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2555917)
http://www.microsoft.com/technet/security/bulletin/ms11-054.mspx

Microsoft Security Bulletin MS11-077
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
http://www.microsoft.com/technet/security/bulletin/ms11-077.mspx

Microsoft Security Bulletin MS11-077
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
http://www.microsoft.com/technet/security/bulletin/ms11-077.mspx

Microsoft Security Bulletin MS11-084
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
http://www.microsoft.com/technet/security/bulletin/ms11-084.mspx

Microsoft Security Bulletin MS11-084
Vulnerability in Windows Kernel-Mode Drivers Could Allow Denial of Service (2617657)
http://www.microsoft.com/technet/security/bulletin/ms11-084.mspx

Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087

Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087

Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087

Microsoft Security Bulletin MS11-087
Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)
http://technet.microsoft.com/en-us/security/bulletin/MS11-087

Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008

Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008

Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008

Microsoft Security Bulletin MS12-008
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
http://technet.microsoft.com/en-us/security/bulletin/ms12-008

Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018

Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018

Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018

Microsoft Security Bulletin MS12-018
Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)
http://technet.microsoft.com/en-us/security/bulletin/ms12-018

Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034

Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034

Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034

Microsoft Security Bulletin MS12-034
Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
http://technet.microsoft.com/en-us/security/bulletin/ms12-034

Microsoft Security Bulletin MS13-022
Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
http://technet.microsoft.com/en-us/security/bulletin/ms13-022

Microsoft Security Bulletin MS13-022
Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
http://technet.microsoft.com/en-us/security/bulletin/ms13-022

Microsoft Security Bulletin MS13-022
Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
http://technet.microsoft.com/en-us/security/bulletin/ms13-022

Microsoft Security Bulletin MS13-022
Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
http://technet.microsoft.com/en-us/security/bulletin/ms13-022

Microsoft Security Bulletin MS13-054
Vulnerability in Windows Components Could Allow Remote Code Execution (2848295)
http://technet.microsoft.com/en-us/security/bulletin/ms13-054

Microsoft Security Bulletin MS13-054
Vulnerability in Windows Components Could Allow Remote Code Execution (2848295)
http://technet.microsoft.com/en-us/security/bulletin/ms13-054

Microsoft Security Bulletin MS13-054
Vulnerability in Windows Components Could Allow Remote Code Execution (2848295)
http://technet.microsoft.com/en-us/security/bulletin/ms13-054

Microsoft Security Bulletin MS13-054
Vulnerability in Windows Components Could Allow Remote Code Execution (2848295)
http://technet.microsoft.com/en-us/security/bulletin/ms13-054

ISS X-Force
Microsoft Windows kernel font code execution
http://www.iss.net/security_center/static/53974.php

CVE
CVE-2009-2514
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2514