cbcvebase.
CVE-2017-8691
published 2017-08-08

CVE-2017-8691: Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fails to…

PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
19.77%
97.1th percentile
Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fails to properly handle specially crafted embedded fonts, aka "Express Compressed Fonts Remote Code Execution Vulnerability."

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoft_corporationwindows_kernel-mode_drivers
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1

Detection & IOCsextracted from sources · hover to see the quote

patht2embed.dll
processTTLoadEmbeddedFont
versiont2embed.dll version 6.1.7601.17514
  • Crash occurs in t2embed.dll during EOT font decompression — monitor for access violations (STATUS_ACCESS_VIOLATION / 0xC0000005) originating from t2embed!TTEmbedFontFromFileA or t2embed!TTLoadEmbeddedFont call stacks.
  • Vulnerability is triggered via specially crafted EOT (Embedded Open Type) fonts embedded in Office documents (e.g., PowerPoint .pptx) or web pages — inspect documents containing embedded EOT font streams for malformed compressed font data.
  • Attack vector includes web-based delivery (malicious website) and file-sharing (malicious Office document attachment) — monitor for t2embed.dll loaded within browser or Office process context handling untrusted EOT fonts.
  • The vulnerability can also be exploited through a browser — monitor browser processes (e.g., Internet Explorer) loading t2embed.dll for anomalous EOT font parsing activity.
  • ·Affected platforms are limited to Windows Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows 7 SP1 — Windows 10 and later are not affected by this specific CVE.
  • ·As of the August 2017 Patch Tuesday disclosure, this vulnerability had not been observed exploited in the wild.
  • ·The root cause analysis was performed on t2embed.dll version 6.1.7601.17514 (Windows 7 x86); behavior on other patch levels may differ.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.