CVE-2010-2738
published 2010-09-15CVE-2010-2738: The Uniscribe (aka new Unicode Script Processor) implementation in USP10.DLL in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
18.54%
96.9th percentile
The Uniscribe (aka new Unicode Script Processor) implementation in USP10.DLL in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2, and Microsoft Office XP SP3, 2003 SP3, and 2007 SP2, does not properly validate tables associated with malformed OpenType fonts, which allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) Office document, aka "Uniscribe Font Parsing Engine Memory Corruption Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
nGroups = '\x00\x00\x00\xDC'
bytes↗
startCharCode = '\x00\xE5\xF7\x20'
bytes↗
endCharCode = '\x00\xE5\xF7\xFE'
- →The exploit targets USP10.DLL (Uniscribe) by crafting a malformed OpenType/TrueType font file with a manipulated Format 12 cmap subtable — specifically the nGroups, startCharCode, and endCharCode fields — to trigger memory corruption. Monitor for anomalous TTF/OTF files delivered via web or Office documents. ↗
- →The PoC generates a crafted font named 'FreeSans.ttf' from a base 'src.ttf', patching bytes at offset 18316–18328 with a malicious nGroups value (0x000000DC) and oversized character code ranges. Detections should flag TTF files with Format 12 cmap nGroups values that produce out-of-bounds character code ranges. ↗
- →Attack vector is either a crafted web page or a malicious Office document (XP SP3, 2003 SP3, 2007 SP2) embedding a malformed OpenType font. Inspect Office documents and web content for embedded font resources with anomalous cmap table structures. ↗
- ·Affected component is USP10.DLL across a wide range of Windows and Office versions (XP SP2/SP3, Server 2003 SP2, Vista SP1/SP2, Server 2008 Gold/SP2, Office XP SP3, 2003 SP3, 2007 SP2); detections should account for all these platforms. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-063https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7214https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-063https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7214
2010-09-15
Published