Microsoft Windows TrueType Parsing Engine Code Execution (Nov 3, 2011)


TrueType is an outline font standard originally developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. TrueType has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems. In Microsoft Windows, the OS uses a Windows component, the Win32k TrueType font parsing engine to analyze the TTF data.

A remote code execution vulnerability has been found in Microsoft Windows. Especially the vulnerability was found in the Win32k TrueType font parsing engine. By exploiting this vulnerability, an attacker could run arbitrary code in kernel mode on the target system. This vulnerability is related to the Duqu malware.

SonicWALL UTM team has researched this vulnerability and released a GAV signature as following:

  • 56984 TTF.Exp.MP.1

The vulnerability has been referred by the vendor, Microsoft as 2639658, and it’s referred by CVE as CVE-2011-3402.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.