Vigil@nce - Windows: denial of service via TrueType
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to display or to preview a
malicious TrueType file, in order to restart the Windows kernel.
Severity: 1/4
Creation date: 08/11/2011
IMPACTED PRODUCTS
– Microsoft Windows 2008
– Microsoft Windows 7
DESCRIPTION OF THE VULNERABILITY
The display of TrueType fonts calls the Win32k.sys kernel driver.
TrueType are analyzed:
– when the user opens a TrueType file
– when the user browses a local or remote (SMB, WebClient WebDAV)
directory containing a TrueType file (via the preview feature)
However, during the analysis of a TrueType file, the kernel driver
does not correctly validate an array index. The system thus stops,
and restarts.
An attacker can therefore invite the victim to display or to
preview a malicious TrueType file, in order to restart the Windows
kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-denial-of-service-via-TrueType-11134