cbcvebase.
CVE-2017-11762
published 2017-10-13

CVE-2017-11762: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1…

PriorityP357high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
17.15%
96.7th percentile
The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability in the way it handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-11763.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationmicrosoft_graphics_component
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2017-11762 can be exploited via a browser by hosting a specially crafted website with malicious embedded fonts, or via a malicious document file attachment — monitor for suspicious font-loading activity in browser and Office processes.
  • The vulnerability is triggered by specially crafted embedded fonts processed by the Windows font library — inspect documents and web content for anomalous embedded font structures (e.g., malformed OTF/TTF).
  • File-sharing / spear-phishing delivery vector: attacker sends a specially crafted document via email — monitor email attachments and document opens that trigger font parsing in the Windows Graphics Component.
  • CVE-2017-11762 is exploitable through a browser or malicious file — prioritize detection on workstation-type systems that use email and access the internet via a browser.
  • ·Microsoft rates exploitation as 'More Likely' for both latest and older software releases, but as of the advisory there is no confirmed in-the-wild exploitation or public exploit code for CVE-2017-11762.
  • ·CVE-2017-11762 is distinct from the closely related CVE-2017-11763, which affects the same Windows font library component — ensure detections and patches address both CVEs independently.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.