CVE-2017-11763
published 2017-10-13CVE-2017-11763: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1…
PriorityP357high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
17.15%
96.7th percentile
The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability in the way it handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-11763.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | microsoft_graphics_component | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1703 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2017-11763 is exploitable via a browser-based attack using a specially crafted website hosting malicious embedded EOT fonts, or via a malicious document file containing embedded fonts — monitor for suspicious t2embed.dll loading activity in browser and Office processes ↗
- →The crash manifests as an out-of-bound write (movdqa to invalid address) inside msvcrt!_VEC_memcpy called from t2embed!ApplyNameChangeToNameRecords; detection should look for access violation exceptions (0xC0000005) in processes loading t2embed.dll with this call stack pattern ↗
- →CVE-2017-11763 can be exploited through a browser or malicious file containing embedded EOT fonts; prioritize detection on workstation-type systems that use email and access the internet via a browser ↗
- →The vulnerable code path flows through t2embed!TTLoadEmbeddedFont -> t2embed!T2LoadEmbeddedFont -> t2embed!T2EnableEmbeddingForFacename -> t2embed!ApplyNameChangeToNameRecords; alert on this call chain in crash telemetry or EDR stack traces ↗
- ·The detailed crash analysis in the Fortinet blog is based on t2embed.dll version 6.1.7601.17514 on Windows 7 x86; behavior and offsets may differ on other affected Windows versions ↗
- ·Microsoft assessed exploitation as 'More Likely' for both latest and older software releases, but as of patch release the vulnerability had not been publicly exploited in the wild ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qhfp-6m5p-q7c2: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2017-11763 [HIGH] CWE-20 GHSA-qhfp-6m5p-q7c2: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability in the way it handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-11763.
GHSA
GHSA-v5jq-x7gc-x4mv: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2017-11762 [HIGH] CWE-20 GHSA-v5jq-x7gc-x4mv: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability in the way it handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-11763.
Microsoft
Microsoft Graphics Remote Code Execution Vulnerability
vendor_msrc·2017-10-10·CVSS 8.1
CVE-2017-11763 [HIGH] Microsoft Graphics Remote Code Execution Vulnerability
Microsoft Graphics Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerability:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view
No detection rules found.
No public exploits indexed.
Fortinet
A 14-day Journey through Embedded Open Type Font Fuzzing
blogs_fortinet·2017-10-19·CVSS 8.8
[HIGH] A 14-day Journey through Embedded Open Type Font Fuzzing
FORTIGUARD LABS THREAT RESEARCH
A 14-day Journey through Embedded Open Type Font Fuzzing
By Wayne Chin Yick Low | October 19, 2017
Introduction
One of our daily routines as researchers here at FortiGuard Labs is to write and maintain our internal fuzzers to help us more effectively find potential vulnerabilities on different software products. We have a range of such tools, from highly sophisticated algorithms to some dumb fuzzers that run 24/7 to find potential issues on Microsoft Office suites. Even those give us surprises from time to time, even though they are not cutting edge fuzzers. In this blog post we would like to share how we discovered multiple Embedded Open Type (EOT) font vulnerabilities by using a combination of dumb and intelligent open source fuzzers.
Background
EOT fo
Qualys
October Patch Tuesday: 28 Critical Microsoft Vulnerabilities | Qualys
blogs_qualys·2017-10-10·CVSS 8.8
CVE-2017-11826 [HIGH] October Patch Tuesday: 28 Critical Microsoft Vulnerabilities | Qualys
Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild.
Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as “Important” and is actively being exploited in the wild.
Priority should also be given to CVE-2017-11771, which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB
Qualys
October Patch Tuesday: 28 Critical Microsoft Vulnerabilities
blogs_qualys·2017-10-10·CVSS 8.8
CVE-2017-11826 [HIGH] October Patch Tuesday: 28 Critical Microsoft Vulnerabilities
Today Microsoft released patches covering 62 vulnerabilities as part of October’s Patch Tuesday update, with 30 of them affecting Windows. Patches covering 28 of these vulnerabilities are labeled as Critical, and 33 can result in Remote Code Execution. According to Microsoft, a vulnerability in Microsoft Office is being actively exploited in the wild.
Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826 , which Microsoft has ranked as “Important” and is actively being exploited in the wild.
Priority should also be given to CVE-2017-11771 , which is a vulnerability in the Windows Search service. This is the fourth Patch Tuesday this year to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SM
Talos
Microsoft Patch Tuesday - October 2017
blogs_talos·2017-10-10·CVSS 8.8
[HIGH] Microsoft Patch Tuesday - October 2017
## Microsoft Patch Tuesday - October 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "Critical" by Microsoft:
CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability
CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability
CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability
CVE-2017-11763 - Microsoft G
Talos
Microsoft Patch Tuesday - October 2017
blogs_talos·2017-10-10·CVSS 8.8
[HIGH] Microsoft Patch Tuesday - October 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.
## Vulnerabilities Rated CriticalThe following vulnerabilities are rated "Critical" by Microsoft:
- CVE-2017-11813 - Internet Explorer Memory Corruption Vulnerability
- CVE-2017-11822 - Internet Explorer Memory Corruption Vulnerability
- CVE-2017-11762 - Microsoft Graphics Remote Code Execution Vulnerability
- CVE-2017-11763 - Microsoft Graphics Remote Code Execution Vulnerabi
http://www.securityfocus.com/bid/101109http://www.securitytracker.com/id/1039536https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11763http://www.securityfocus.com/bid/101109http://www.securitytracker.com/id/1039536https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11763
2017-10-13
Published