CVE-2012-2897
published 2012-09-26CVE-2012-2897: The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7…
PriorityP351high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
21.69%
97.3th percentile
The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT, as used by Google Chrome before 22.0.1229.79 and other programs, do not properly handle objects in memory, which allows remote attackers to execute arbitrary code via a crafted TrueType font file, aka "Windows Font Parsing Vulnerability" or "TrueType Font Parsing Vulnerability."
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome | <= 22.0.1229.78 | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — | |
| chrome | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
Update OTS to r95
bugzilla·2012-11-13·CVSS 7.8
CVE-2012-2897 [HIGH] Update OTS to r95
Update OTS to r95
We should update OTS to r95 to fix an out of bounds issue.
Discussion:
some information at https://chromiumcodereview.appspot.com/10913058, the chromium bug is hidden.
http://code.google.com/p/chromium/issues/detail?id=146254
Also identified as CVE-2012-2897, and MS is apparently fixing the underlying kernel bug today https://twitter.com/NTarakanov/status/267912298776104962
There may still be other OS bugs triggerable from the same table, we should still take the OTS patch.
---
Created attachment 681983
update OTS library to r.95
---
Created attachment 681988
update OTS library to r.95
---
Comment on attachment 681988
update OTS library to r.95
[Security approval request comment]
How easily can the security issue be deduced from the patch?
The flaw in OTS is e
Zscaler
Zscaler Protects against Microsoft's Patch Cycle | Round 3
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against Microsoft's Patch Cycle | Round 3
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://googlechromereleases.blogspot.com/2012/09/stable-channel-update_25.htmlhttp://secunia.com/advisories/51239http://www.securitytracker.com/id?1027750http://www.us-cert.gov/cas/techalerts/TA12-318A.htmlhttps://code.google.com/p/chromium/issues/detail?id=146254https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-075https://exchange.xforce.ibmcloud.com/vulnerabilities/78822https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15847http://googlechromereleases.blogspot.com/2012/09/stable-channel-update_25.htmlhttp://secunia.com/advisories/51239http://www.securitytracker.com/id?1027750http://www.us-cert.gov/cas/techalerts/TA12-318A.htmlhttps://code.google.com/p/chromium/issues/detail?id=146254https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-075https://exchange.xforce.ibmcloud.com/vulnerabilities/78822https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15847
2012-09-26
Published