Updated 11-9-2011: Microsoft Windows win32k.sys TrueType Font Parsing Vulnerability

*update 11-9-2011: An IPS rule has been put in place to block all external attempts to exploit this vulnerability.  There is still a potentional threat if a host on Purdue's network is infected with the Duqu worm, but all external threats have been mitigated.

A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error within the Win32k kernel-mode driver (win32k.sys) when parsing TrueType fonts.

Successful exploitation allows execution of arbitrary code.

More information can be found in the original advisory: Microsoft (KB2639658)

http://technet.microsoft.com/en-us/security/advisory/2639658

Posted by Curt Jansen on November 04, 2011, in Handlers Log.