cbcvebase.
CVE-2017-0086
published 2017-03-17

CVE-2017-0086: Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted…

PriorityP272high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
42.55%
98.5th percentile
Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka "Uniscribe Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0072, CVE-2017-0083, CVE-2017-0084, CVE-2017-0087, CVE-2017-0088, CVE-2017-0089, and CVE-2017-0090.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_uniscribe
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41649.zip
urlhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1025
  • Crash occurs in USP10!otlCacheManager::GlyphsSubstituted via heap memory corruption when processing a specially crafted font file; monitor for access violations (code c0000005) originating from USP10.dll call stack involving otlCacheManager::GlyphsSubstituted
  • Attack vector includes a crafted web page or document file delivered via email/IM link or attachment; monitor for USP10.dll heap corruption triggered from browser or document-rendering processes
  • Call stack signature for detection: msvcrt!_VEC_memcpy -> msvcrt!_VEC_memzero -> USP10!otlCacheManager::GlyphsSubstituted -> USP10!ApplyFeatures -> USP10!SubstituteOtlGlyphs -> USP10!ArabicEngineGetGlyphs -> USP10!ScriptShape
  • Exploit reproduces on Windows 7; PageHeap enables easier reproduction but crash also occurs in default configuration. Monitor font processing in USP10.dll on Windows Vista SP2, Server 2008 SP2/R2 SP1, and Windows 7 SP1.
  • ·The vulnerability is triggered during Arabic glyph shaping/substitution (ArabicEngineGetGlyphs call chain); crafted font files must be rendered at various point sizes across all glyphs to reliably trigger the crash
  • ·Exploit status at time of patch: publicly disclosed=No, exploited in the wild=No, older software release rated Exploitation Less Likely

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.