CVE-2011-3402
published 2011-11-04CVE-2011-3402: Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003…
PriorityP194high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
78.29%
99.5th percentile
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
GID 3, SID 20539
- →CVE-2011-3402 is exploited via crafted TrueType font data embedded in a Word document or web page, targeting win32k.sys in the Windows kernel-mode driver. ↗
- →Monitor for unusual outbound network connections, unexpected system driver modifications, and kernel-level code loading as indicators of Duqu activity exploiting this CVE. ↗
- →Duqu uses spearphishing emails with malicious attachments as the primary delivery vector for this exploit. ↗
- ·The Snort rule SID 20539 (GID 3) was released by Sourcefire within 48 hours of the advisory; verify it is still current in your ruleset as it may have been superseded. ↗
- ·The Styx exploit kit infrastructure used this CVE alongside Java exploits; the malicious domain styx-crypt[dot]com was the public-facing marketing site for the kit operators. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qv6f-65c9-qp9p: Unspecified vulnerability in the TrueType font parsing engine in win32k
ghsa_unreviewed·2022-05-13
CVE-2011-3402 [HIGH] GHSA-qv6f-65c9-qp9p: Unspecified vulnerability in the TrueType font parsing engine in win32k
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
GHSA
GHSA-mfgm-v8rv-75rw: Array index error in win32k
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2011-2004 [HIGH] CWE-20 GHSA-mfgm-v8rv-75rw: Array index error in win32k
Array index error in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (reboot) via a crafted TrueType font file, aka "TrueType Font Parsing Vulnerability," a different vulnerability than CVE-2011-3402.
VulnCheck
Microsoft Windows Remote Code Execution Vulnerability
vulncheck·2011·CVSS 8.8
CVE-2011-3402 [HIGH] Microsoft Windows Remote Code Execution Vulnerability
Microsoft Windows Remote Code Execution Vulnerability
Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2011-3402; https://web.archive.org/web/20120304003736/http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_a-look-back-at-2011_information-is-currency.pd
Project0
Project Zero RCA: CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
project_zero·CVSS 7.8
CVE-2023-26369 [HIGH] Project Zero RCA: CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
# CVE-2023-26369: Adobe Acrobat PDF Reader RCE when processing TTF fonts
Clement Lecigne, Google Threat Analysis Group
## The Basics
**Disclosure or Patch Date:** September, 12, 2023
**Product:** Adobe Acrobat Reader on Windows and MacOS
**Advisory:** https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
**Affected Versions:** 23.003.20284 and earlier versions
**First Patched Version:** 23.006.20320
**Issue/Bug Report:** N/A
**Patch CL:** N/A (closed source)
**Bug-Introducing CL:** N/A
**Reporter(s):** Anonymous
## The Code
**Proof-of-concept:**
TTF font with the following bitmap tables.
```
EBLC :
version : 0x20000
numSizes : 0x1
[-] 0th bitmapSizeTable
indexSubTableArrayOffset : 0x38
indexTablesSize : 0x100
numberOfIndexSubTables : 0x2
colorRef : 0x0
hori : 0b f
CISA
Microsoft Windows Remote Code Execution Vulnerability
cisa·2025-10-06·CVSS 8.8
CVE-2011-3402 [HIGH] Microsoft Windows Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Remote Code Execution Vulnerability
Affected: Microsoft Windows
Microsoft Windows Kernel contains an unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers that allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087 ; https://nvd.nist.gov/vuln/detail/CVE-2011-3402
Remediation Due Date: 2025-10-27
No detection rules found.
Checkpoint
The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
blogs_checkpoint·2021-02-22
CVE-2017-0005 The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
Research by: Eyal Itkin and Itay Cohen
There is a theory which states that if anyone will ever manage to steal
Krebs
Styx Exploit Pack: Domo Arigato, PC Roboto
blogs_krebs·2013-07-08
Styx Exploit Pack: Domo Arigato, PC Roboto
Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”
Styx Pack victims, by browser and OS version.
Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to
Krebs
Styx Exploit Pack: Domo Arigato, PC Roboto – Krebs on Security
blogs_krebs·2013-07-01
Styx Exploit Pack: Domo Arigato, PC Roboto – Krebs on Security
Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”
Styx Pack victims, by browser and OS version.
Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com . The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available t
Krebs
Crimeware Author Funds Exploit Buying Spree
blogs_krebs·2013-01-07·CVSS 8.8
[HIGH] Crimeware Author Funds Exploit Buying Spree
The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
Cool Exploit Kit.
An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012,
Krebs
Crimeware Author Funds Exploit Buying Spree – Krebs on Security
blogs_krebs·2013-01-01·CVSS 8.8
[HIGH] Crimeware Author Funds Exploit Buying Spree – Krebs on Security
The author of Blackhole , an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.
Cool Exploit Kit.
An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October 2012,
Talos
Microsoft Security Advisory 2639658
blogs_talos·2011-11-08·CVSS 8.8
CVE-2011-3402 [HIGH] Microsoft Security Advisory 2639658
## Microsoft Security Advisory 2639658
Microsoft recently added a new initiative to its Microsoft Active Protection Program (MAPP), called the Advisory Initiative program, which gives partners up to 96 hours to provide protection for discovered vulnerabilities. Microsoft piloted the program with an advisory release on the Win32K TrueType font parsing engine, related to the Duqu malware (CVE-2011-3402). Sourcefire released its protections for this threat within the first 48 hours, as noted on the MAPP site http://technet.microsoft.com/en-us/security/advisorymapp :
SID: GID 3, SID 20539 http://labs.snort.org/papers/ms/immediate-response.html
Duqu exploits a vulnerability in Windows in the way it parses TrueType fonts and it can create an open tunnel into a user's computer. Then attackers
Talos
Microsoft Security Advisory 2639658
blogs_talos·2011-11-08·CVSS 8.8
CVE-2011-3402 [HIGH] Microsoft Security Advisory 2639658
Microsoft recently added a new initiative to its Microsoft Active Protection Program (MAPP), called the Advisory Initiative program, which gives partners up to 96 hours to provide protection for discovered vulnerabilities. Microsoft piloted the program with an advisory release on the Win32K TrueType font parsing engine, related to the Duqu malware (CVE-2011-3402). Sourcefire released its protections for this threat within the first 48 hours, as noted on the MAPP site http://technet.microsoft.com/en-us/security/advisorymapp:
SID: GID 3, SID 20539
http://labs.snort.org/papers/ms/immediate-response.html
Duqu exploits a vulnerability in Windows in the way it parses TrueType fonts and it can create an open tunnel into a user's computer. Then attackers have the freedom to gain full system acce
Zscaler
Zscaler Provides Vulnerability Protection for MS Advisory
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler Provides Vulnerability Protection for MS Advisory
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Huntress
Duqu Malware: Analysis, Detection, Removal | Huntress
blogs_huntress
Duqu Malware: Analysis, Detection, Removal | Huntress
## Duqu Malware
Published: 12/12/2025
Written by: Lizzie Danielson
## What is Duqu Malware?
Duqu is a sophisticated strain of malware often classified as spyware, though it shares significant traits with trojans. Discovered in 2011, it is closely associated with the infamous Stuxnet worm, leading to speculation that it was developed by advanced threat actors with similarly high capabilities. Duqu is known for its modular architecture, designed to steal sensitive data from infected systems while evading detection. Its threat level is considered high, primarily targeting industrial systems and organizations holding critical information.
## When was Duqu first discovered?
Duqu was first identified in September 2011 by the Hungarian research lab CrySyS . Evidence suggests that it had bee
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 8
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 8
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 9
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 9
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 1
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 1
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
o-glasses: Visualizing x86 Code from Binary Using a 1d-CNN
arxiv_fulltext·2018-06-14
o-glasses: Visualizing x86 Code from Binary Using a 1d-CNN
o-glasses: Visualizing x86 Code from Binary Using a 1d-CNN
Yuhei Otsubo12
Akira Otsuka2
Mamoru Mimura32
Takeshi Sakaki4
Atsuhiro Goto2
National Police Agency, Tokyo, Japan
Institute of Information Security, Kanagawa, Japan
[email protected]
National Defense Academy, Kanagawa, Japan
The University of Tokyo, Tokyo, Japan
## Abstract
Malicious document files used in targeted attacks often contain a small program called shellcode.
It is often hard to prepare a runnable environment for dynamic analysis of these document files because they exploit specific vulnerabilities.
In these cases, it is necessary to identify the position of the shellcode in each document file to analyze it.
If the exploit code uses executable scripts such as JavaScript and Flash, it is not so hard to locate the s
http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-fileshttp://blogs.technet.com/b/msrc/archive/2011/11/03/microsoft-releases-security-advisory-2639658.aspxhttp://isc.sans.edu/diary/Duqu+Mitigation/11950http://secunia.com/advisories/49121http://secunia.com/advisories/49122http://technet.microsoft.com/security/advisory/2639658http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Twohttp://www.securitytracker.com/id?1027039http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploithttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdfhttp://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-129A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-164A.htmlhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdfhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-034https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13998https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15290https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15645http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-fileshttp://blogs.technet.com/b/msrc/archive/2011/11/03/microsoft-releases-security-advisory-2639658.aspxhttp://isc.sans.edu/diary/Duqu+Mitigation/11950http://secunia.com/advisories/49121http://secunia.com/advisories/49122http://technet.microsoft.com/security/advisory/2639658http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Twohttp://www.securitytracker.com/id?1027039http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploithttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdfhttp://www.us-cert.gov/cas/techalerts/TA11-347A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-129A.htmlhttp://www.us-cert.gov/cas/techalerts/TA12-164A.htmlhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdfhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-034https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13998https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15290https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15645https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-3402
2011-11-04
Published
2025-10-06
Added to CISA KEV
Exploited in the wild