CVE-2017-8691
published 2017-08-08CVE-2017-8691: Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fails to…
PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
19.77%
97.1th percentile
Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fails to properly handle specially crafted embedded fonts, aka "Express Compressed Fonts Remote Code Execution Vulnerability."
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft_corporation | windows_kernel-mode_drivers | — | — |
| msrc | windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_itanium-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_itanium-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Crash occurs in t2embed.dll during EOT font decompression — monitor for access violations (STATUS_ACCESS_VIOLATION / 0xC0000005) originating from t2embed!TTEmbedFontFromFileA or t2embed!TTLoadEmbeddedFont call stacks. ↗
- →Vulnerability is triggered via specially crafted EOT (Embedded Open Type) fonts embedded in Office documents (e.g., PowerPoint .pptx) or web pages — inspect documents containing embedded EOT font streams for malformed compressed font data. ↗
- →Attack vector includes web-based delivery (malicious website) and file-sharing (malicious Office document attachment) — monitor for t2embed.dll loaded within browser or Office process context handling untrusted EOT fonts. ↗
- →The vulnerability can also be exploited through a browser — monitor browser processes (e.g., Internet Explorer) loading t2embed.dll for anomalous EOT font parsing activity. ↗
- ·Affected platforms are limited to Windows Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows 7 SP1 — Windows 10 and later are not affected by this specific CVE. ↗
- ·As of the August 2017 Patch Tuesday disclosure, this vulnerability had not been observed exploited in the wild. ↗
- ·The root cause analysis was performed on t2embed.dll version 6.1.7601.17514 (Windows 7 x86); behavior on other patch levels may differ. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wwvx-xw8g-3vv3: Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fail
ghsa_unreviewed·2022-05-13
CVE-2017-8691 [HIGH] CWE-119 GHSA-wwvx-xw8g-3vv3: Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fail
Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fails to properly handle specially crafted embedded fonts, aka "Express Compressed Fonts Remote Code Execution Vulnerability."
Microsoft
Express Compressed Fonts Remote Code Execution Vulnerability
vendor_msrc·2017-08-08·CVSS 5.0
CVE-2017-8691 [HIGH] Express Compressed Fonts Remote Code Execution Vulnerability
Express Compressed Fonts Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits exploited this vulnerability would gain code execution on the target system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerability:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled conten
No detection rules found.
No public exploits indexed.
Fortinet
A 14-day Journey through Embedded Open Type Font Fuzzing
blogs_fortinet·2017-10-19·CVSS 8.8
[HIGH] A 14-day Journey through Embedded Open Type Font Fuzzing
FORTIGUARD LABS THREAT RESEARCH
A 14-day Journey through Embedded Open Type Font Fuzzing
By Wayne Chin Yick Low | October 19, 2017
Introduction
One of our daily routines as researchers here at FortiGuard Labs is to write and maintain our internal fuzzers to help us more effectively find potential vulnerabilities on different software products. We have a range of such tools, from highly sophisticated algorithms to some dumb fuzzers that run 24/7 to find potential issues on Microsoft Office suites. Even those give us surprises from time to time, even though they are not cutting edge fuzzers. In this blog post we would like to share how we discovered multiple Embedded Open Type (EOT) font vulnerabilities by using a combination of dumb and intelligent open source fuzzers.
Background
EOT fo
Talos
Microsoft Patch Tuesday - August 2017
blogs_talos·2017-08-08·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "critical" by Microsoft:
- CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
- CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerability
- CVE-2017-866
Qualys
August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe | Qualys
blogs_qualys·2017-08-08·CVSS 7.5
CVE-2017-8620 [HIGH] August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe | Qualys
Today Microsoft released patches covering 48 vulnerabilities as part of August’s Patch Tuesday update, with 15 of them affecting Windows. Patches covering 25 of these vulnerabilities are labeled as Critical, and 27 can result in Remote Code Execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8620, which is a vulnerability in the Windows Search service. This is the third Patch Tuesday to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerabili
Qualys
August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe
blogs_qualys·2017-08-08·CVSS 7.5
CVE-2017-8620 [HIGH] August Patch Tuesday: 25 critical Microsoft vulnerabilities, 43 for Adobe
Today Microsoft released patches covering 48 vulnerabilities as part of August’s Patch Tuesday update, with 15 of them affecting Windows. Patches covering 25 of these vulnerabilities are labeled as Critical, and 27 can result in Remote Code Execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8620 , which is a vulnerability in the Windows Search service. This is the third Patch Tuesday to feature a vulnerability in this service. As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerabil
Talos
Microsoft Patch Tuesday - August 2017
blogs_talos·2017-08-08·CVSS 7.8
[HIGH] Microsoft Patch Tuesday - August 2017
## Microsoft Patch Tuesday - August 2017
Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.
## Vulnerabilities Rated Critical The following vulnerabilities are rated "critical" by Microsoft:
CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
CVE-2017-8669 - Microsoft Browser Memory
http://www.securityfocus.com/bid/100090http://www.securitytracker.com/id/1039096https://fortiguard.com/zeroday/FG-VD-17-142https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8691http://www.securityfocus.com/bid/100090http://www.securitytracker.com/id/1039096https://fortiguard.com/zeroday/FG-VD-17-142https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8691
2017-08-08
Published