cbcvebase.
CVE-2017-11763
published 2017-10-13

CVE-2017-11763: The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1…

PriorityP357high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
17.15%
96.7th percentile
The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows a remote code execution vulnerability in the way it handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-11763.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationmicrosoft_graphics_component
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_10_version_1703
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2017-11763 is exploitable via a browser-based attack using a specially crafted website hosting malicious embedded EOT fonts, or via a malicious document file containing embedded fonts — monitor for suspicious t2embed.dll loading activity in browser and Office processes
  • The crash manifests as an out-of-bound write (movdqa to invalid address) inside msvcrt!_VEC_memcpy called from t2embed!ApplyNameChangeToNameRecords; detection should look for access violation exceptions (0xC0000005) in processes loading t2embed.dll with this call stack pattern
  • CVE-2017-11763 can be exploited through a browser or malicious file containing embedded EOT fonts; prioritize detection on workstation-type systems that use email and access the internet via a browser
  • The vulnerable code path flows through t2embed!TTLoadEmbeddedFont -> t2embed!T2LoadEmbeddedFont -> t2embed!T2EnableEmbeddingForFacename -> t2embed!ApplyNameChangeToNameRecords; alert on this call chain in crash telemetry or EDR stack traces
  • ·The detailed crash analysis in the Fortinet blog is based on t2embed.dll version 6.1.7601.17514 on Windows 7 x86; behavior and offsets may differ on other affected Windows versions
  • ·Microsoft assessed exploitation as 'More Likely' for both latest and older software releases, but as of patch release the vulnerability had not been publicly exploited in the wild

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.